SonicWall has warned of active exploitation of two zero-day vulnerabilities impacting Secure Mobile Access (SMA) 1000 series appliances, one of which could be exploited to achieve arbitrary command execution.
The vulnerabilities are listed below -
- CVE-2026-15409 (CVSS score: 10.0) - A Server-side request forgery (SSRF) vulnerability that a remote unauthenticated attacker could exploit to potentially cause the appliance to make requests to an unintended location.
- CVE-2026-15410 (CVSS score: 7.2) - A post-authentication code injection vulnerability rooted in the Appliance Management Console (AMC) that a remote authenticated attacker could exploit to execute arbitrary operating system commands as administrator under certain conditions.
SonicWall said it has "investigated multiple cases indicating the active exploitation of the vulnerabilities," urging customers to apply the fixes as soon as possible. The patches are available in the following versions -
- 12.4.3-03453 (platform-hotfix) and higher versions
- 12.5.0-02835 (platform-hotfix) and higher versions
Users are also urged to perform a thorough forensic analysis of the system to determine the presence of any indicators of compromise (IoCs) associated with exploitation -
- If in extraweb_access.log are mentioned requests to /__api__/login or /__api__/logout with http 200 status
- If in extraweb_access.log are mentioned requests to /wsproxy with suspicious host parameters with 101 http status
- If in ctrl-service.log are mentioned hotfix rollbacks with path traversal names
- If /var/lib/unit/conf.json contains routes for /__api__/login or /__api__/logout (these URIs do not exist in legitimate configuration)
Should one of these indicators be present, it's advised to re-image physical appliances or redeploy virtual appliances, change user and administrator passwords, and reset time-based one-time password tokens.
Adam Babis of SonicWall's product security incident response team (PSIRT) has been credited with discovering and reporting the flaws. SonicWall also acknowledged the contributions of Volexity's Sean Koessel and Steven Adair to help advance the internal investigation and identify an additional IoC.
The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the two flaws to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by July 17, 2026.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.











English (US) ·