Published Thursday, July 16, 2026 at 06:17 AM PT

BLUF: Two critical zero-day vulnerabilities in SonicWall SMA 1000 Series remote access appliances are being actively exploited in the wild. One requires no authentication; the other requires valid credentials. Organizations operating SMA 1000 devices must apply patches immediately. Public exploits are available.
DETAILS:
CVE-2026-15409 (CRITICAL): Unauthenticated Server-Side Request Forgery (SSRF) flaw in the Workplace interface. Requires no valid credentials to exploit. Confirmed public exploit available.
CVE-2026-15410 (CRITICAL): Post-authentication code injection vulnerability in the Appliance Management Console. Requires valid administrative credentials. Confirmed public exploit available.
Both vulnerabilities affect SonicWall SMA 1000 Series secure remote access appliances—commonly deployed as VPN gateways for enterprise remote workforce access.
SonicWall has released patches; specific patch versions and deployment timeline remain uncertain from available reporting.
Active exploitation confirmed; threat actors are leveraging these flaws in ongoing campaigns.
IMPACT:
Scope: Organizations with SMA 1000 Series appliances exposed to internet-facing Workplace or Management Console interfaces.
Risk: CVE-2026-15409 enables unauthenticated attackers to bypass network controls, access internal resources, and potentially pivot to backend systems. CVE-2026-15410 allows authenticated users (or attackers with stolen credentials) to execute arbitrary code with appliance privileges.
Criticality: Remote access appliances are high-value targets; compromise enables lateral movement into corporate networks.
RECOMMENDED ACTIONS:
Immediate: Identify all SMA 1000 Series appliances in your environment and verify current firmware versions.
Urgent: Apply SonicWall patches as soon as tested and validated in your environment.
Interim Mitigation: Restrict network access to Workplace and Management Console interfaces to trusted IP ranges only; disable unnecessary remote access if operationally feasible.
Detection: Monitor SMA 1000 logs for suspicious SSRF requests (unusual internal IP access patterns) and code injection attempts in management console activity.
Threat Hunt: Review access logs for the past 30 days for indicators of exploitation.
SOURCES:
- SOC Prime threat intelligence
- Sploitus public exploit repository (CVE-2026-15409 exploit confirmed available)
