SonicWall has released a critical security alert concerning two vulnerabilities that have been discovered in its SMA1000 Series appliances. The company has emphasized that these vulnerabilities are being actively exploited by attackers, posing a real-world threat to affected systems.
Details of the SonicWall Vulnerabilities
The most severe of these issues, identified as CVE-2026-15409, has been assigned a top Common Vulnerability Scoring System (CVSS) score of 10.0, indicating its critical nature. This flaw can be leveraged remotely without any need for authentication, significantly increasing its potential impact.
These vulnerabilities are affecting SonicWall SMA1000 models 6210, 7210, and 8200, particularly those running specific platform-hotfix versions, namely 12.4.3 and 12.5.0.
Impact and Technical Details
SonicWall has clarified that these security issues do not affect the SSL-VPN services of its firewall products or the SMA 100 Series line. The CVE-2026-15409 vulnerability is a server-side request forgery (SSRF) issue found within the SMA1000 Workplace interface. This flaw allows an unauthenticated attacker to redirect requests to internal or external locations, potentially accessing services otherwise unreachable from the internet.
The second vulnerability, CVE-2026-15410, involves post-authentication code injection within the SMA1000 Appliance Management Console, with a CVSS score of 7.2. Although it requires administrator access, exploiting this can lead to full control over the system if credentials are compromised.
Recommended Actions and Mitigation
The SonicWall Product Security Incident Response Team (PSIRT) has been actively investigating exploitation incidents of these vulnerabilities. Although no specific details about the attackers or methods have been disclosed, SonicWall urges immediate installation of the provided hotfix, as no alternative solutions currently exist.
Organizations should upgrade their SMA1000 appliances to platform-hotfix version 12.4.3-0345 or later for the 12.4.3 branch, and version 12.5.0-0283 or later for the 12.5.0 branch. The necessary updates are available through the MySonicWall customer portal.
Administrators are advised to examine appliance logs and configurations for signs of compromise, such as unusual requests to /api/login or /api/logout, and other suspicious activities as outlined by SonicWall.
Future Outlook
Upon detecting any signs of compromise, SonicWall recommends re-imaging the affected hardware or redeploying virtual appliances. Additionally, all user and administrator passwords should be reset, including time-based one-time password tokens, to protect against potential credential theft.
SonicWall has acknowledged the contributions of PSIRT researcher Adam Babis, along with Sean Koessel and Steven Adair of Volexity, for identifying additional indicators of compromise and assisting in the investigation.
