Published Thursday, July 16, 2026 at 06:17 AM PT

<strong>CRITICAL: SonicWall SMA 1000 Zero-Days Under Active Exploitation</strong>

BLUF: Two critical zero-day vulnerabilities in SonicWall SMA 1000 Series remote access appliances are being actively exploited in the wild. One requires no authentication; the other requires valid credentials. Organizations operating SMA 1000 devices must apply patches immediately. Public exploits are available.


DETAILS:

  • CVE-2026-15409 (CRITICAL): Unauthenticated Server-Side Request Forgery (SSRF) flaw in the Workplace interface. Requires no valid credentials to exploit. Confirmed public exploit available.

  • CVE-2026-15410 (CRITICAL): Post-authentication code injection vulnerability in the Appliance Management Console. Requires valid administrative credentials. Confirmed public exploit available.

  • Both vulnerabilities affect SonicWall SMA 1000 Series secure remote access appliances—commonly deployed as VPN gateways for enterprise remote workforce access.

  • SonicWall has released patches; specific patch versions and deployment timeline remain uncertain from available reporting.

  • Active exploitation confirmed; threat actors are leveraging these flaws in ongoing campaigns.


IMPACT:

  • Scope: Organizations with SMA 1000 Series appliances exposed to internet-facing Workplace or Management Console interfaces.

  • Risk: CVE-2026-15409 enables unauthenticated attackers to bypass network controls, access internal resources, and potentially pivot to backend systems. CVE-2026-15410 allows authenticated users (or attackers with stolen credentials) to execute arbitrary code with appliance privileges.

  • Criticality: Remote access appliances are high-value targets; compromise enables lateral movement into corporate networks.


RECOMMENDED ACTIONS:

  1. Immediate: Identify all SMA 1000 Series appliances in your environment and verify current firmware versions.

  2. Urgent: Apply SonicWall patches as soon as tested and validated in your environment.

  3. Interim Mitigation: Restrict network access to Workplace and Management Console interfaces to trusted IP ranges only; disable unnecessary remote access if operationally feasible.

  4. Detection: Monitor SMA 1000 logs for suspicious SSRF requests (unusual internal IP access patterns) and code injection attempts in management console activity.

  5. Threat Hunt: Review access logs for the past 30 days for indicators of exploitation.


SOURCES:

  • SOC Prime threat intelligence
  • Sploitus public exploit repository (CVE-2026-15409 exploit confirmed available)