(TLP:CLEAR) Vulnerability Notification – SonicWall SMA1000 Zero-Days Actively Exploited
Created: Thursday, July 16, 2026 - 15:30
Categories: Cybersecurity, Security Preparedness
ACTION MAY BE REQUIRED for utilities using SonicWall Secure Mobile Access (SMA) 1000 Series remote access appliances (models 6210, 7210, and 8200v). Utilities that outsource technology support may need to consult their service providers for assistance with remediation actions.
Summary: Two zero-day vulnerabilities affecting SonicWall Secure Mobile Access (SMA) 1000 Series appliances are being actively exploited in the wild. Tracked as CVE-2026-15409 (CVSS 10.0), a server-side request forgery (SSRF) vulnerability in the SMA1000 Work Place interface allows a remote unauthenticated attacker to cause the appliance to make requests to an unintended location. The second, CVE-2026-15410 (CVSS 7.2), is a post-authentication code injection vulnerability in the Appliance Management Console (AMC) that, under specific conditions, could enable a remote authenticated attacker to execute arbitrary operating system commands as administrator. SonicWall’s PSIRT has investigated multiple cases indicating active exploitation of both vulnerabilities.
Rapid7’s Managed Detection and Response team observed active, targeted zero-day exploitation of internet-facing SMA 1000-series appliances prior to SonicWall’s disclosure, and assesses that attackers are chaining the two flaws together to take control of susceptible devices. According to Rapid7, threat actors leveraged the perimeter appliance as a stealthy initial access vector, then systematically extracted credentials, active session databases, and Time-Based One-Time Password (TOTP) multi-factor authentication seed configurations — harvesting designed to ensure persistent access that could survive standard network-level remediation. Rapid7 further observed lateral movement from the compromised appliance directly into internal corporate networks, including anomalous, VPN-less Active Directory authentications against core domain controllers originating from the appliance’s own internal IP address.
Both vulnerabilities have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, with a remediation deadline of July 17, 2026 for Federal Civilian Executive Branch agencies.
Analyst Note: This vulnerability chain is particularly concerning for utilities because SMA1000 appliances sit at the network edge and commonly provide remote access for enterprise networks, operational personnel, contractors, and support vendors. Full compromise of such an appliance could give attackers an unmonitored foothold inside trusted network environments, enabling credential theft, lateral movement, and access to systems supporting OT environments. Because exploitation was confirmed before public disclosure, patching alone may not be sufficient.
Affected Versions:
SMA1000 Models 6210, 7210, and 8200v running:
- 12.4.3-03245, 12.4.3-03387, and 12.4.3-03434 (platform-hotfix)
- 12.5.0-02283, 12.5.0-02624, and 12.5.0-02800 (platform-hotfix)
SonicWall notes these vulnerabilities do not affect SSL-VPN running on SonicWall firewalls or the SMA 100 Series product line. No workarounds are available.
Fixed Versions:
- 12.4.3-03453 (platform-hotfix) and higher versions
- 12.5.0-02835 (platform-hotfix) and higher versions
The latest platform-hotfix is available for download on mysonicwall.com.
WaterISAC strongly encourages members to determine whether SMA1000 appliances are deployed within their environments and to update affected systems immediately according to SonicWall’s recommendations in its advisory.
Additional Reading
- Two SonicWall SMA 1000 Zero-Days Exploited, One Could Enable Admin Commands
- SonicWall Security Advisory SNWLID-2026-0008: SonicWall SMA1000 Series Appliances Affected by Multiple Vulnerabilities
- Rapid7 MDR Team Discovers New SonicWall SMA1000 Zero Days being Actively Exploited (CVE-2026-15409, CVE-2026-15410)
