At a glance:
-
Threat actors exploited two previously unknown vulnerabilities in SonicWall SMA1000 appliances weeks before patches became available.
-
The attacks turned internet-facing remote access appliances into gateways for credential theft and access to internal systems, including Active Directory environments.
-
Organizations using affected SMA1000 devices should prioritize patching and investigate for signs of compromise, particularly where the appliances are exposed to the internet.
Threat summary
On July 14, 2026, SonicWall released a security advisory on two zero-day vulnerabilities affecting SonicWall Secure Mobile Access (SMA) 1000 appliances.
The same day, the CISA added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog after SonicWall confirmed that threat actors had been actively exploiting the flaws prior to the release of security updates.
SonicWall SMA1000 is a remote access platform that enables employees, contractors, and third parties to access internal applications and networks. The vulnerabilities affect SMA1000 models 6210, 7210, and 8200v running specific 12.4.3 and 12.5.0 platform-hotfix releases.
SSL Virtual Private Network (VPN) functionality on SonicWall firewalls and the SMA 100 product line are not affected. SonicWall released fixes in hotfix versions 12.4.3-03453 and 12.5.0-02835.
CVE-2026-15409 (CVSS: 10.0)
The first vulnerability, CVE-2026-15409, is a server-side request forgery (SSRF) vulnerability in the SMA1000 Appliance Work Place interface, the internet-facing user portal that is exposed over HTTPS on port 443 by default.
The flaw resides in the /wsproxy functionality, which proxies connections on behalf of the appliance. SonicWall states that a remote unauthenticated threat actor may cause the appliance to make requests to unintended locations.
CVE-2026-15410 (CVSS: 7.2)
The second vulnerability, CVE-2026-15410, is a code injection issue in the Appliance Management Console (AMC), the administrative interface used to manage and configure SMA1000 appliances.
SonicWall states that, under specific conditions, a remote authenticated administrator may execute operating system commands.
The attack chain
Researchers observed targeted attacks against internet-facing SMA1000 appliances beginning no later than June 22, 2026, and reported that the two vulnerabilities were being chained together during exploitation:
-
CVE-2026-15409 provided access to localhost services running on the appliance that were not intended to be externally accessible and served as the first stage of the observed chain.
-
CVE-2026-15410 then provided a path to operating system command execution through an internal service.
Following appliance compromise, threat actors executed operating system commands, harvested credentials, active session information, and time-based one-time password (TOTP) multi-factor authentication (MFA) seed data to establish persistent access. The harvested data was then used to move deeper into the environment.
Investigators observed Active Directory (AD) authentication activity originating directly from compromised appliances, including connections to domain controllers without an associated Virtual Private Network (VPN) session, indicating that the appliances were being used as a backdoor into the network.
Researchers also reported the availability of a Python proof-of-concept for CVE-2026-15409 and noted that a Metasploit module for the exploit chain was under development.
Analysis
The latest campaign is not the first time threat actors have exploited SonicWall SMA1000 appliances.
In early 2025, CVE-2025-23006 was reported as a zero-day affecting SMA1000 devices, and was used to gain unauthorized access to exposed appliances. Later that same year, CVE-2025-40602 was also exploited as an SMA1000 zero-day, demonstrating continued threat actor interest in the platform.
The previous cases showed why SMA1000 appliances remain attractive targets: compromise of an internet-facing device can expose authentication data and provide a pathway into enterprise authentication infrastructure, including Active Directory environments.
Upgrading to hotfix versions 12.4.3-03453, 12.5.0-02835, or later releases is the primary mitigation.
Organizations are also advised to reduce unnecessary external exposure, limit access to administrative interfaces, review authentication activity originating from the appliance, investigate potential credential theft, and assess whether MFA secrets or other authentication data were exposed.
SonicWall recommends reviewing appliance logs for published indicators of compromise, including suspicious /wsproxy requests, unexpected /__api__/login or /__api__/logout activity, path traversal references associated with hotfix rollback operations, and unauthorized configuration changes.
If those indicators are present, SonicWall recommends treating the appliance as potentially compromised. Recommended remediation actions include reimaging physical appliances or redeploying virtual appliances, rotating user and administrator credentials, resetting TOTP tokens, and validating appliance configurations against known-good baselines.