Published Wednesday, July 15, 2026 at 12:13 PM PT

BLUF: SonicWall SMA1000 remote access appliances are under active exploitation via two chained zero-day vulnerabilities (CVE-2026-15409, CVE-2026-15410). Attackers exploited these flaws for approximately three weeks before vendor disclosure. Organizations running affected SMA1000 devices must apply patches immediately. One vulnerability enables administrative command execution.
DETAILS:
- Two zero-day vulnerabilities in SonicWall SMA1000 Series appliances confirmed under active exploitation in the wild
- Attackers chained the vulnerabilities together; one flaw enables server-side request exploitation, the other permits elevated administrative access
- Active exploitation occurred approximately 21 days prior to SonicWall’s July 14, 2026 security advisory and patch release
- Huntress reporting indicates exploitation used to bypass multi-factor authentication (MFA) and establish persistence
- SonicWall has released patches; vendor status on patch availability across all affected firmware versions is not fully detailed in available reporting
IMPACT:
- Affected systems: SonicWall SMA1000 Series remote access appliances (VPN/secure access devices)
- Scope: Unknown number of organizations; SMA1000 is widely deployed in enterprise environments for remote workforce access
- Risk level: CRITICAL β administrative command execution capability combined with MFA bypass creates complete device compromise risk
- Exposure window: Organizations unpatched remain vulnerable to active threat actors
RECOMMENDED ACTIONS:
- Immediate: Identify all SonicWall SMA1000 appliances in your environment
- Priority 1: Apply SonicWall patches for CVE-2026-15409 and CVE-2026-15410 to all affected devices within 24-48 hours
- Concurrent: Review VPN access logs for July 14 and prior three weeks for suspicious authentication patterns, MFA bypass attempts, or administrative activity
- Monitor: Enable enhanced logging on SMA1000 devices during and after patching
- Verify: Confirm patch application across all instances; do not assume automatic updates
SOURCES: CyberScoop, SecurityAffairs, SecurityWeek, Help Net Security, Huntress, The Hacker News, Rapid7, BleepingComputer
