SonicWall has issued an urgent alert regarding the active exploitation of two significant zero-day vulnerabilities affecting its Secure Mobile Access (SMA) 1000 series appliances. These vulnerabilities present serious security risks, with one enabling arbitrary command execution by attackers.
Details of the Vulnerabilities
The two vulnerabilities are identified as CVE-2026-15409 and CVE-2026-15410. The first, with a critical CVSS score of 10.0, is a server-side request forgery (SSRF) flaw. It can allow a remote, unauthenticated attacker to manipulate the appliance into making unauthorized requests. The second, with a CVSS score of 7.2, involves post-authentication code injection within the Appliance Management Console (AMC), potentially allowing an authenticated attacker to execute system commands with administrative privileges.
Immediate Patch Deployment Recommended
SonicWall has confirmed multiple exploitations of these vulnerabilities and strongly advises customers to implement the available patches without delay. The necessary updates are included in the platform-hotfix versions 12.4.3-03453 and 12.5.0-02835, along with their subsequent releases. Additionally, SonicWall recommends conducting comprehensive forensic analyses to identify any indicators of compromise (IoCs) that may suggest exploitation.
Indicators of Compromise and Remediation Steps
Key indicators of compromise include specific log entries and configuration changes. These include requests in the extraweb_access.log to /__api__/login or /__api__/logout with a 200 HTTP status, and suspicious host parameters in /wsproxy requests with a 101 HTTP status. If any IoCs are detected, re-imaging physical devices, redeploying virtual appliances, resetting passwords, and updating time-based one-time password tokens are advised.
The vulnerabilities were identified by SonicWall’s Product Security Incident Response Team (PSIRT), led by Adam Babis, with additional contributions from Volexity’s Sean Koessel and Steven Adair, who aided in uncovering further IoCs.
Broader Security Implications
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has reacted to the discovery by adding these vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. This action mandates Federal Civilian Executive Branch (FCEB) agencies to apply the necessary patches by July 17, 2026, underscoring the critical nature of these security flaws.
The swift response from SonicWall and ongoing updates highlight the importance of proactive security measures and timely patch management in safeguarding enterprise networks against emerging threats.
