SonicWall Warns of Zero-Day Vulnerabilities in SMA1000 Appliances, Urging Administrators to Apply Security Patches

Views: 56 views

388/69 Thursday, July 16, 2026

SonicWall has issued an advisory after threat actors were observed exploiting two zero-day vulnerabilities in SonicWall SMA1000 appliances. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog and ordered federal agencies under its scope to address affected systems by July 17, 2026. This incident is significant and directly affects organizations using these appliances, as unpatched systems are at high risk of being compromised and used as a gateway into internal networks.

The vulnerabilities include CVE-2026-15409, a Critical Server-Side Request Forgery (SSRF) vulnerability with a CVSS score of 10.0 in the WorkPlace user interface, which allows unauthenticated attackers to force the appliance to send requests to unauthorized destinations. The second vulnerability, CVE-2026-15410, is a High-severity Code Injection flaw with a CVSS score of 7.2 in the management interface, which could allow authenticated administrators to execute arbitrary operating system commands. Although the second vulnerability requires administrator privileges, SonicWall assessed the overall risk of the incident at the maximum severity level of 10.0. The affected devices include SMA1000 models 6210, 7210, and 8200v running certain platform versions in the 12.4.3 and 12.5.0 release branches. The issue does not affect SMA 100 Series products or SSL-VPN features on firewalls.

Administrators should immediately update affected systems to version 12.4.3-03453 or 12.5.0-02835, or later, as there are no alternative mitigations other than applying the patch. They should also inspect systems for signs of compromise in log files, such as abnormal response statuses from authentication or proxy requests in extraweb_access.log, suspicious commands in ctrl-service.log, and invalid route configurations in conf.json. If an appliance is found to have been compromised, SonicWall recommends reinstalling the operating system on hardware appliances or rebuilding virtual appliances. Administrators should also change all user and administrator passwords and reset all TOTP authentication configurations to reduce risk and strengthen the organization’s security posture.

Source: https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-sma1000-flaws-exploited-in-zero-day-attacks-patch-now/