Skip to content

SonicWall SMA1000 CVE-2026-15409/15410 chained in the wild, KEV

SonicWall confirms in-the-wild chaining of an unauth SSRF (CVE-2026-15409, CVSS 10.0) and a post-auth command injection (CVE-2026-15410, CVSS 7.2) on SMA1000 6210/7210/8200v. CISA KEV due 2026-07-17.

Published 4 min read

SonicWall's PSIRT confirmed on July 14, 2026 that two SMA1000 vulnerabilities are being chained in active zero-day attacks: CVE-2026-15409, an unauthenticated server-side request forgery in the Work Place interface (CVSS v3.1 10.0), and CVE-2026-15410, a post-authentication OS command injection in the Appliance Management Console (CVSS v3.1 7.2). CISA added both to the Known Exploited Vulnerabilities catalog the same day, with a BOD 26-04 remediation deadline of July 17, 2026. Fixes ship in platform-hotfix 12.4.3-03453 and 12.5.0-02835.

What the chain does

CVE-2026-15409 lets an unauthenticated remote attacker force the SMA1000 Work Place front-end to originate HTTP requests to arbitrary internal destinations. On the SMA1000, the Work Place interface and the Appliance Management Console (AMC) share the appliance's internal trust boundary — SSRF against Work Place hands the attacker a proxy into the AMC's authentication surface. CVE-2026-15410 sits inside AMC: once an attacker has an authenticated administrator session there, an input-validation gap lets them execute arbitrary OS commands as the underlying appliance user.

In the incidents SonicWall has investigated to date, the two bugs are used in tandem: the SSRF is the on-ramp, the code-injection is the payload delivery. Neither, standalone, gets a remote attacker to code execution; chained, they do. That is why the SSRF's raw CVSS 10.0 and the injection's authenticated 7.2 read as understating the combined risk.

Affected versions

Affected SMA1000 models: 6210, 7210, 8200v (virtual). Vulnerable platform-hotfix builds enumerated by SonicWall:

  • 12.4.3-03245
  • 12.4.3-03387
  • 12.4.3-03434
  • 12.5.0-02283
  • 12.5.0-02624
  • 12.5.0-02800

Fixed builds:

  • 12.4.3-03453 and later on the 12.4 branch
  • 12.5.0-02835 and later on the 12.5 branch

SonicWall's PSIRT advisory sits at psirt.global.sonicwall.com under the SNWLID references issued for the two CVEs.

Exploitation status

Confirmed exploited in the wild by SonicWall's own PSIRT, based on multiple incident investigations. CISA's KEV listing echoes that finding — KEV entries are added only when CISA has direct evidence of in-the-wild exploitation, so the KEV addition is not an independent second confirmation, but it does trigger the BOD 26-04 clock for federal civilian agencies. No public IOCs, YARA rules, Sigma rules, or Snort signatures have been published by SonicWall, CISA, or third-party researchers as of writing. Coverage from BleepingComputer and Help Net Security mirrors the vendor timeline without adding an independently-observed IOC set. SonicWall recommends reviewing logs for indicators of compromise even after applying the update — but the vendor has not shipped a concrete pattern to look for. If detection artefacts land, we will update.

No threat actor has been named. SonicWall has not attributed the activity to a specific group and no third party has published attribution.

Action checklist

  1. Upgrade SMA1000 to 12.4.3-03453 or 12.5.0-02835 today. Federal civilian agencies are bound by the July 17, 2026 BOD 26-04 deadline; treat that as the ceiling, not the floor. If you cannot upgrade by then, BOD 26-04 requires you to discontinue use of the product — the "mitigations aren't ready" excuse doesn't apply here because SonicWall shipped the fix concurrently with the advisory.
  2. Assume administrator compromise on any SMA1000 that ran a vulnerable build with Work Place exposed to the internet. The chain lands as the appliance user; treat the appliance's stored credentials, tokens, and any SSO trust anchor it holds as leaked. Rotate.
  3. Rotate AMC administrator credentials and any API tokens the appliance issued before returning the box to service. Because the second half of the chain requires authenticated AMC access, any prior admin session cookie the attacker landed with must be invalidated — a password change alone is not enough if session store cleanup did not happen.
  4. Audit outbound requests from Work Place back to the earliest date the appliance ran any of the enumerated vulnerable builds. Look for unexpected internal destinations — that is the SSRF signature in the absence of vendor-supplied IOCs.
  5. Front the SMA1000 with strict source-IP allowlisting for the AMC surface where feasible. AMC has no business being reachable from every source that can hit Work Place; the fewer callers who can reach the injection sink, the smaller the residual blast radius on the next AMC-side bug.

Context

This is not the first SMA1000 credential-boundary chain to see zero-day exploitation. In January 2025 SonicWall disclosed CVE-2025-23006, a pre-auth deserialization in AMC/CMC, also exploited before patch — same appliance family, same "management-plane surface exposed to too many callers" pattern. The 2026 pair is a variation on the same theme: a Work Place-side primitive borrows Work Place's reachability to reach AMC-side code that was written assuming an authenticated boundary. Every SMA1000 zero-day the vendor has confirmed in the last eighteen months has landed on that seam. Operators who have not yet moved AMC behind a separate ingress control should treat this incident as the third warning, not the first.

Related stories