SonicWall SMA1000 zero-days chained: CISA adds CVE-2026-15409 and 15410 to KEV
CISA added SonicWall SMA1000 zero-days CVE-2026-15409 (SSRF, CVSS 10.0) and CVE-2026-15410 to KEV on July 14, chained by Rapid7 MDR. Federal deadline July 17.
SonicWall confirmed active exploitation of two SMA 1000 Series zero-days after Rapid7's MDR team observed the chain in internet-facing appliances. CVE-2026-15409 is an unauthenticated SSRF in the Appliance Work Place interface, rated CVSS 10.0. CVE-2026-15410 is a post-authentication OS command injection in the Appliance Management Console, rated CVSS 7.2. CISA added both to the Known Exploited Vulnerabilities catalog on July 14, 2026, with a July 17 BOD 26-04 remediation deadline for federal civilian agencies. There is no workaround; patching is the only fix.
Affected products
Per the SonicWall product notice:
- SMA 6210, SMA 7210, SMA 8200v
- Firmware: 12.4.3 branch through 12.4.3-03434, and 12.5.0 branch through 12.5.0-02800.
SMA 100 Series appliances (200/210/400/410/500v) are not in scope of this notice.
Patched builds
- 12.4.3-03453 platform-hotfix or later.
- 12.5.0-02835 platform-hotfix or later.
Both are available on mysonicwall.com. SonicWall states no workaround exists — patching is the only complete remediation.
The chain
Rapid7's MDR write-up, which triggered the vendor disclosure, describes the two bugs used in tandem:
- CVE-2026-15409 — the SSRF primitive lets an unauthenticated remote attacker force the appliance to open a websocket-based tunnel to arbitrary localhost-only services and reach internal network segments that would normally be shielded.
- CVE-2026-15410 — the post-auth code injection in the Management Console. Reachable via a localhost service on port 8188, a path-traversal in the
remove_hotfixworkflow executes arbitrary OS commands as root.
Combined, an unauthenticated internet attacker reaches root on the appliance without needing a valid credential. That is why CISA treats these as a paired KEV addition rather than two separate entries.
Detection artefacts
Rapid7's blog publishes the following IOCs. Reproduce them on your appliance's logs verbatim:
extraweb_access.log
requests to /__api__/login or /__api__/logout returning HTTP 200
requests to /wsproxy with suspicious host parameters returning HTTP 101
ctrl-service.log
hotfix rollbacks whose names contain path-traversal sequences
/var/lib/unit/conf.json
routes for /__api__/login or /__api__/logout
(these URIs do not exist in a legitimate configuration)
Neither SonicWall nor CISA has published YARA, Sigma, or Snort artefacts as of writing. Rapid7's log-string set is the only detection package in circulation from the disclosing party.
Action checklist
- Upgrade every SMA 1000 appliance to 12.4.3-03453 or 12.5.0-02835 (or later) from
mysonicwall.com. Federal civilian agencies must meet the July 17, 2026 BOD 26-04 deadline for both CVEs, or discontinue the product. - Hunt the four Rapid7 IOCs on any appliance that has been internet-reachable prior to patching. Pull
extraweb_access.log,ctrl-service.log, and/var/lib/unit/conf.jsonand grep for the strings above. A hit on any of them is treated as compromise. - If compromise is confirmed, follow SonicWall's response guidance: re-image physical appliances or redeploy virtual appliances from a clean image, then rotate every user and administrator password and reset TOTP tokens. Patching alone does not evict the attacker.
- Take the Work Place interface off the public internet wherever the workload allows while the audit runs. The unauthenticated SSRF primitive gets an attacker the tunnel; removing exposure removes the primitive.
- Preserve appliance disk images before re-imaging if compromise is suspected. Rapid7's IOCs cover the initial-access chain but not any second-stage tooling an operator may have staged from root.
Context
The SMA 1000 line has now shipped an actively-exploited chain twice in eighteen months — the January 2025 SMA1000 CVE-2025-23006 deserialization RCE also landed in KEV and drew a Rapid7 MDR advisory. The pattern — an internet-facing SSL-VPN appliance where a Work Place primitive tunnels into an admin-only Management Console — is what makes the paired disclosure land at CVSS 10.0. The July 14 KEV batch also includes CVE-2026-56155 (ADFS) and CVE-2026-56164 (SharePoint), covered in yesterday's post; federal-civilian remediation deadlines for all four converge on July 17.