SonicWall Urgent Patch Alert: Two Zero-Day Exploits Exploited
SonicWall has issued an urgent alert for users of SMA1000 secure remote access devices, warning of ongoing exploitation of two critical vulnerabilities.
Urgent Alert for SMA1000 Users
The flaws, designated CVE-2026-15409 and CVE-2026-15410, impact SMA1000 models running firmware versions 6210, 7210, and 8200v. Affected organizations are advised to apply hotfix updates 12.4.3-03453 or 12.5.0-02835 without delay.
Critical Vulnerabilities Exposed
CVE-2026-15409: SSRF Flaw
CVE-2026-15409 is classified as a critical server-side request forgery (SSRF) flaw within the Appliance Work Place interface. This vulnerability enables an unauthenticated remote attacker to manipulate the device into initiating requests to unintended destinations.
CVE-2026-15410: Code Injection Vulnerability
CVE-2026-15410 is a high-severity code injection vulnerability in the Appliance Management Console (AMC). It allows an attacker with administrative privileges to execute arbitrary operating system commands.
Active Exploitation and Response
SonicWall’s Product Security Incident Response Team (PSIRT) confirmed that multiple incidents indicate active exploitation of these vulnerabilities. While the specific threat actors responsible remain unidentified, the vendor has released indicators of compromise (IoCs) to aid in detecting potential breaches.
CISA’s Involvement and Compliance
The Cybersecurity and Infrastructure Security Agency (CISA) added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on Tuesday, mandating federal agencies to address them by July 17. This follows a pattern of attacks targeting SonicWall products, with CISA’s KEV list now including 17 vulnerabilities affecting SMA1000 appliances.
Broader Implications and Recommendations
The advisory underscores the growing risk of supply chain compromises and the need for proactive patch management. Organizations using affected systems are urged to prioritize the recommended updates and monitor for signs of malicious activity. The incident highlights the persistent threat landscape targeting enterprise infrastructure and the importance of timely response to emerging threats.
Volexity, a cybersecurity research firm, collaborated with SonicWall during the investigation but has not yet published details about the attacks.
