Vulnerabilities Bearish 7

SonicWall SMA1000 Zero-Days: Patch Two CVSS 10.0 Flaws by July 17

· 3 min read · Verified by 2 sources ·
Share

Key Takeaways

  • SonicWall confirms active exploitation of two critical zero-day vulnerabilities in SMA1000 appliances.
  • CISA adds the flaws to its KEV catalog with a three-day government remediation deadline.
  • Details on SSRF and code injection risks, affected models, and IOCs.

Mentioned

SonicWall company SMA1000 product CVE-2026-15409 vulnerability CVE-2026-15410 vulnerability CISA government Volexity company

Key Intelligence

Key Facts

  1. 1CVE-2026-15409 is a critical (CVSS 10.0) unauthenticated SSRF vulnerability in the SMA1000 Work Place interface, enabling remote attackers to force the appliance to make unintended requests.
  2. 2CVE-2026-15410 is a high-severity (CVSS 7.2) post-authentication code injection flaw in the Appliance Management Console that allows authenticated admins to execute arbitrary OS commands.
  3. 3Affected SMA1000 models (6210, 7210, 8200v) on specific platform-hotfix releases must be updated to versions 12.4.3-03453 or 12.5.0-02835; no workarounds exist.
  4. 4CISA added both vulnerabilities to its Known Exploited Vulnerabilities catalog on July 14, 2026, with a federal agency remediation deadline of July 17, 2026.
  5. 5SonicWall PSIRT confirmed multiple incidents of active exploitation and has released indicators of compromise (IOCs) to aid detection.
  6. 6Volexity assisted the investigation, but the threat actor behind the zero-day attacks remains unidentified as of publication.
Overall Severity Score
CVSS 10.0 Highest possible

Combined risk rating for CVE-2026-15409 and CVE-2026-15410

SonicWall PSIRT has investigated multiple cases indicating the active exploitation of the vulnerabilities described in this advisory.

SonicWall PSIRT Product Security Incident Response Team

Advisory released July 14, 2026

Analysis

For cybersecurity teams managing enterprise remote access, the latest SonicWall advisory demands immediate triage. Two zero-day vulnerabilities—including an unauthenticated SSRF with a CVSS 10.0 score—are under active attack, potentially chaining with an authenticated OS command injection flaw. CISA's rapid addition to the Known Exploited Vulnerabilities list signals federal-level urgency; every SME and SOC must validate exposure and patch within the 72-hour window.

SonicWall has disclosed two zero-day vulnerabilities in its SMA1000 secure remote access appliance line—CVE-2026-15409 (critical SSRF, CVSS 10.0) and CVE-2026-15410 (high-severity post-authentication code injection, CVSS 7.2)—which are being actively exploited in the wild. The vendor's Product Security Incident Response Team (PSIRT) confirmed multiple incident investigations revealing exploitation, though the threat actor’s identity and motives remain unknown. The advisory, released on July 14, 2026, carries an overall CVSS score of 10.0 due to the combined risk, and urges immediate upgrade to hotfix releases 12.4.3-03453 or 12.5.0-02835 for all affected models: SMA1000 6210, 7210, and 8200v.

The advisory, released on July 14, 2026, carries an overall CVSS score of 10.0 due to the combined risk, and urges immediate upgrade to hotfix releases 12.4.3-03453 or 12.5.0-02835 for all affected models: SMA1000 6210, 7210, and 8200v.

CVE-2026-15409 exists in the Appliance Work Place interface and allows a remote, unauthenticated attacker to trigger server-side request forgery (SSRF), causing the appliance to make unintended requests. This can be leveraged to access internal services, pivot into corporate networks, or bypass security controls. CVE-2026-15410 resides in the Appliance Management Console (AMC) and enables an authenticated administrator to inject and execute arbitrary OS commands. While the CVSS for this flaw is 7.2 due to the required privileges, the combination with the SSRF vulnerability could permit an attacker to chain exploits—first gaining a foothold via SSRF, then escalating privileges or achieving code execution. SonicWall has not explicitly confirmed chaining, but the context and available indicators of compromise (IOCs) suggest such a scenario is plausible.

The rapid response from CISA underscores the severity. On the same day as the advisory, CISA added both CVEs to its Known Exploited Vulnerabilities (KEV) catalog, setting a tight remediation deadline of July 17, 2026, for U.S. federal agencies. This marks the 17th SonicWall-related entry in the KEV catalog, reflecting a troubling pattern of threat actors—from ransomware groups to nation-state advanced persistent threats (APTs)—repeatedly targeting SonicWall VPN and secure access products. Previous campaigns, such as the exploitation of SMA 100 series and SSL-VPN vulnerabilities, have led to widespread compromises, including ransomware deployments and data exfiltration.

The affected SMA1000 series is designed for large enterprises, supporting up to 10,000 concurrent connections, making these appliances high-value targets. An attacker who gains control could intercept remote sessions, compromise internal resources, or use the appliance as a launchpad for lateral movement. SonicWall has not provided workarounds, emphasizing that patching is the only effective mitigation. Administrators must also review logs for IOCs provided in the advisory and, if compromise is detected, re-image physical appliances or redeploy virtual instances to ensure integrity.

What to Watch

Volexity, the cybersecurity firm credited with assisting SonicWall's investigation, has yet to release independent findings, but its involvement hints at possible targeted or sophisticated attacks. The lack of attribution raises questions about whether this is opportunistic scanning by profit-driven criminals or a coordinated operation by a nation-state actor. Historically, SonicWall’s customer base includes government, military, and critical infrastructure organizations, heightening national security implications.

Beyond immediate patching, the incident reinforces the escalating vulnerability of perimeter security appliances. As enterprises depend on remote access solutions for hybrid workforces, these devices become prime targets. Security teams should not only deploy patches but also implement network segmentation, monitor for anomalous outbound requests indicative of SSRF exploitation, and enforce strict access controls on management interfaces. The short CISA deadline serves as a stark reminder that the window between disclosure and exploitation continues to shrink, leaving little margin for delayed response.

Timeline

Timeline

  1. SonicWall releases security advisory and patches for two zero-day vulnerabilities in SMA1000; CISA adds CVEs to KEV catalog with July 17 deadline.

  2. SecurityWeek and BleepingComputer report on active exploitation details, hotfix versions, and IOC availability.

  3. CISA deadline for federal agencies to apply patches per Binding Operational Directive.

Sources

Sources

Based on 2 source articles

Cite This Page

"SonicWall SMA1000 Zero-Days: Patch Two CVSS 10.0 Flaws by July 17." Cyber Intelligence Brief, July 15, 2026. https://getcyberbrief.com/story/sonicwall-sma1000-zero-day-cvss-10-cisa-kev

How we covered this story

Every story in our cybersecurity coverage is assembled from multiple primary sources, cross-referenced for factual consistency, and scored along three independent dimensions: sentiment, operational impact, and source-cluster confidence. Single-source rumors and unverifiable claims do not pass our editorial gate. When a story shows "Verified by N sources" with N≥2, the development is independently corroborated; when N=1, we mark it explicitly so readers can weigh the signal accordingly.

Impact scoring uses a 1-10 scale weighted toward regulatory, financial, and operational consequence rather than coverage volume. A topic that runs in every outlet but moves no real decisions ranks lower than a niche regulatory filing that reshapes how operators in the cybersecurity space have to behave. Read our full methodology for the scoring rubric, our glossary for term definitions, and our trends index for the longitudinal view across the beat.