Back to Feed
VulnerabilitiesJul 15, 2026

SonicWall customers under threat as attackers exploit 2 zero-days

SonicWall customers face threat from two chained zero-day vulnerabilities exploited before patching.

Summary

Attackers are actively exploiting two zero-day vulnerabilities, CVE-2026-15409 and CVE-2026-15410, in SonicWall SMA1000 appliances. These vulnerabilities are being chained together, allowing for complete system compromise. Rapid7 researchers observed exploitation starting June 22, with the likely goal being ransomware, though they prevented exfiltration and encryption in observed cases. SonicWall has released patches and is assisting customers with mitigation.

Full text

SonicWall customers are attempting to dodge another security challenge as attackers are exploiting a pair of zero-day vulnerabilities that have been confirmed by the vendor. The company publicly disclosed the vulnerabilities — CVE-2026-15409 and CVE-2026-15410 — in a security advisory Tuesday. SonicWall credited an employee with discovering the defects, but it hasn’t said when the discovery occurred or the earliest known instance of exploitation. Rapid7 researchers told CyberScoop both vulnerabilities were first exploited June 22. “From the cases that our team has observed, the goal is likely ransomware, though we have prevented the actors from achieving exfiltration and encryption,” said Seth Lazarus, senior manager of detection and response services at Rapid7. Overlapping tactics, techniques and procedures from the attacks observed by Rapid7 indicate the same threat group or attacker discovered and exploited the zero-days, Lazarus added. SonicWall did not answer questions about the impacts of these attacks thus far, and the company hasn’t attributed the attacks to a known group or described the attacker’s origins and motivations. The vendor did, however, confirm to CyberScoop that both vulnerabilities have been chained together for exploitation. The vulnerabilities affecting SonicWall SMA1000 appliances, including a max-severity defect that allows attackers to make authenticated requests and a 7.2-rated vulnerability that allows authenticated command injection. “When these two are chained, an attacker can go from zero access to a complete system compromise for the affected appliance,” said Landon Rice, senior exploit developer at VulnCheck. Ben Harris, founder and CEO at watchTowr, said two characteristics of the vulnerabilities fuel a sense of dread. “Both were exploited as zero-days before fixes were available, and together they offer a plausible path to remote-code execution from the internet,” he said. The Cybersecurity and Infrastructure Security Agency added both zero-days to its known exploited vulnerabilities catalog Tuesday. SonicWall encouraged customers to patch the vulnerabilities by upgrading to the latest software version, which it released upon disclosure, and shared some indicators of compromise to help customers hunt for potential malicious activity on their systems. “Speed of response was a priority for us,” said Bret Fitzgerald, senior director of global communications at SonicWall. “Within days of becoming aware of the issue, our team had developed a script that we can run on behalf of affected customers to assist with resolution, and mitigation efforts are already underway.” SonicWall and third-party researchers haven’t said how many SonicWall customers are impacted by the exploited vulnerabilities, but the vendor did say it already investigated multiple cases of active exploitation. Fitzgerald said the company monitors about one million sensors globally and “SMA1000 appliances represent a very small subset of that footprint, less than 5,000 units.” SonicWall said support staff are also helping customers work through instances of suspicious activity, warning that patching alone is not sufficient. The vendor and its customers have been hit by a barrage of actively exploited zero-days and previously disclosed defects in SonicWall devices for years. In 2025, an undisclosed state-sponsored threat actor intruded the company’s cloud environment and stole firewall configurations of every SonicWall customer. Seventeen defects affecting the vendor’s products have been added to CISA’s known exploited vulnerabilities catalog since late 2021. Ten of those defects are known to be used in ransomware campaigns, according to CISA, including a wave of about 40 Akira ransomware attacks between mid-July and early August. “As always,” Harris said, “when something is confirmed as already exploited in the wild, patching is the bare minimum, and breach should be assumed.” Share Facebook LinkedIn Twitter Copy Link

Indicators of Compromise

  • cve — CVE-2026-15409
  • cve — CVE-2026-15410

Entities

SMA1000 appliances (product)SonicWall (vendor)firewall (product)Rapid7 (vendor)ransomware (technology)