SonicWall has warned of active exploitation of two zero-day vulnerabilities impacting Secure Mobile Access (SMA) 1000 series appliances, one of which could be exploited to achieve arbitrary command execution.
The vulnerabilities are listed below -
- CVE-2026-15409 (CVSS score: 10.0) - A Server-side request forgery (SSRF) vulnerability that a remote unauthenticated attacker could exploit to potentially cause the appliance to make requests to an unintended location.
- CVE-2026-15410 (CVSS score: 7.2) - A post-authentication code injection vulnerability rooted in the Appliance Management Console (AMC) that a remote authenticated attacker could exploit to execute arbitrary operating system commands as administrator under certain conditions.
SonicWall said it has "investigated multiple cases indicating the active exploitation of the vulnerabilities," urging customers to apply the fixes as soon as possible. The patches are available in the following versions -
- 12.4.3-03453 (platform-hotfix) and higher versions
- 12.5.0-02835 (platform-hotfix) and higher versions
Users are also urged to perform a thorough forensic analysis of the system to determine the presence of any indicators of compromise (IoCs) associated with exploitation -
- If in extraweb_access.log are mentioned requests to /__api__/login or /__api__/logout with http 200 status
- If in extraweb_access.log are mentioned requests to /wsproxy with suspicious host parameters with 101 http status
- If in ctrl-service.log are mentioned hotfix rollbacks with path traversal names
- If /var/lib/unit/conf.json contains routes for /__api__/login or /__api__/logout (these URIs do not exist in legitimate configuration)
Should one of these indicators be present, it's advised to re-image physical appliances or redeploy virtual appliances, change user and administrator passwords, and reset time-based one-time password tokens.
Adam Babis of SonicWall's product security incident response team (PSIRT) has been credited with discovering and reporting the flaws. SonicWall also acknowledged the contributions of Volexity's Sean Koessel and Steven Adair to help advance the internal investigation and identify an additional IoC.
The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the two flaws to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by July 17, 2026.
Update
In a follow-up report published on July 15, 2026, Rapid7 said it observed active, targeted zero-day exploitation of internet-facing SMA 1000-series appliances since at least late last month. It's assessed that attackers are chaining together the two flaws to take control of susceptible devices.
"Threat actors were primarily leveraging the perimeter appliance as a stealthy initial access vector, executing commands on the operating system by bypassing traditional input validation controls," the cybersecurity company noted.
"Once they established a foothold on the appliance, the actors systematically extracted high-value credentials, active session databases, and Time-Based One-Time Password (TOTP) multi-factor authentication (MFA) seed configurations. This local harvesting was designed to ensure long-term, persistent access that could survive standard network-level remediations."
The threat actors are said to have conducted lateral movement, jumping from the compromised appliance directly into the internal corporate network, followed by "anomalous, VPN-less Active Directory authentications targeting core domain controllers." The authentications originated directly from the appliance's internal IP address, utilizing atypical, non-corporate workstation client names (e.g., kali) under the context of its integrated LDAP service account.
"This unique behavior of direct, machine-level lateral movement with no corresponding active VPN tunnel confirmed that the appliance itself had been fully compromised and was acting as an unmonitored backdoor into the corporate directory infrastructure," Rapid7 added.




