Published Wednesday, July 15, 2026 at 12:11 AM PT

BLUF: Two zero-day vulnerabilities in SonicWall SMA 1000 appliances are being actively exploited in the wild. One vulnerability (CVE-2026-15409) enables unauthenticated administrative command execution. Organizations running SMA 1000 devices must apply patches immediately and assume compromise if exploitation occurred.
DETAILS:
- Two confirmed zero-days: CVE-2026-15409 and CVE-2026-15410 affecting SonicWall SMA 1000 appliances; both are under active exploitation
- Critical severity: CVE-2026-15409 allows unauthenticated attackers to execute administrative commands, potentially granting full device control
- Active attacks confirmed: Multiple security firms report exploitation in the wild; MFA bypass and credential theft reported in related SonicWall VPN exploitation campaigns
- SonicWall response: Vendor has issued urgent patch guidance; patches are available but deployment status across customer base is unknown
- Scope uncertainty: Exact number of affected organizations and confirmed compromises not yet disclosed; SMA 1000 is widely deployed in enterprise remote access infrastructure
IMPACT:
- Affected systems: Organizations using SonicWall SMA 1000 appliances for VPN/remote access
- Risk level: CRITICAL โ unauthenticated remote code execution with administrative privileges
- Potential compromise: Attackers could establish persistent access, bypass MFA, exfiltrate credentials, or pivot to internal networks
- Timeline: Active exploitation ongoing; assume any unpatched device may be compromised
RECOMMENDED ACTIONS:
- Immediate: Identify all SonicWall SMA 1000 appliances in your environment
- Priority: Apply SonicWall patches for CVE-2026-15409 and CVE-2026-15410 without delay
- Detection: Review VPN access logs for suspicious administrative activity, failed authentication attempts, or unusual command execution
- Assume breach: If patching will be delayed, treat SMA 1000 devices as potentially compromised; monitor for lateral movement
- Credential rotation: Reset VPN user credentials and administrative accounts post-patch
SOURCES:
- The Hacker News, SecurityWeek, BleepingComputer, Help Net Security, Huntress Labs
- CVE-2026-15409, CVE-2026-15410
