Back to Feed
VulnerabilitiesJul 15, 2026

Two SonicWall SMA 1000 Zero-Days Exploited, One Could Enable Admin Commands

SonicWall SMA 1000 zero-days exploited, one allows admin command execution.

Summary

SonicWall has issued a warning about two actively exploited zero-day vulnerabilities in its Secure Mobile Access (SMA) 1000 series appliances. One vulnerability, CVE-2026-15409, is an SSRF flaw, while CVE-2026-15410 allows for arbitrary command execution as an administrator after authentication. The US CISA has added these flaws to its Known Exploited Vulnerabilities catalog, mandating immediate patching for federal agencies.

Full text

Two SonicWall SMA 1000 Zero-Days Exploited, One Could Enable Admin Commands Ravie LakshmananJul 15, 2026Vulnerability / Enterprise Security SonicWall has warned of active exploitation of two zero-day vulnerabilities impacting Secure Mobile Access (SMA) 1000 series appliances, one of which could be exploited to achieve arbitrary command execution. The vulnerabilities are listed below - CVE-2026-15409 (CVSS score: 10.0) - A Server-side request forgery (SSRF) vulnerability that a remote unauthenticated attacker could exploit to potentially cause the appliance to make requests to an unintended location. CVE-2026-15410 (CVSS score: 7.2) - A post-authentication code injection vulnerability rooted in the Appliance Management Console (AMC) that a remote authenticated attacker could exploit to execute arbitrary operating system commands as administrator under certain conditions. SonicWall said it has "investigated multiple cases indicating the active exploitation of the vulnerabilities," urging customers to apply the fixes as soon as possible. The patches are available in the following versions - 12.4.3-03453 (platform-hotfix) and higher versions 12.5.0-02835 (platform-hotfix) and higher versions Users are also urged to perform a thorough forensic analysis of the system to determine the presence of any indicators of compromise (IoCs) associated with exploitation - If in extraweb_access.log are mentioned requests to /__api__/login or /__api__/logout with http 200 status If in extraweb_access.log are mentioned requests to /wsproxy with suspicious host parameters with 101 http status If in ctrl-service.log are mentioned hotfix rollbacks with path traversal names If /var/lib/unit/conf.json contains routes for /__api__/login or /__api__/logout (these URIs do not exist in legitimate configuration) Should one of these indicators be present, it's advised to re-image physical appliances or redeploy virtual appliances, change user and administrator passwords, and reset time-based one-time password tokens. Adam Babis of SonicWall's product security incident response team (PSIRT) has been credited with discovering and reporting the flaws. SonicWall also acknowledged the contributions of Volexity's Sean Koessel and Steven Adair to help advance the internal investigation and identify an additional IoC. The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the two flaws to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by July 17, 2026. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Code Execution, enterprise security, Incident response, network security, Patch Management, Remote Access, SSRF, Vulnerability, Zero-Day ⚡ Top Stories This Week 16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems BeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and PRA Court Filing Reveals Windows Device ID Helped FBI Trace Alleged Scattered Spider Hacker Rogue Agent Flaw Could Have Let Attackers Hijack Google Dialogflow CX Chatbots RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service 15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros GitHub Copilot Refuses Harmful Requests in Chat, Then Writes Them in Code New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents Top AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It Meta's New AI Image Tool Lets Others Use Your Public Instagram Photos in AI Images ThreatsDay: Cloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust + 17 More Stories Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Orgs Attackers Exploit 'Ill Bloom' Vulnerability to Drain Over $5 Million From Cryptocurrency Wallets Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws New TrojPix Attack Leaks Data From Air-Gapped Systems via Video Cable Emissions Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices New "Bad Epoll" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices European Parliament Member Investigating Spyware Was Hacked With Pegasus ⭐ Featured Resources What 200+ Security Teams Reveal About Using IP Intelligence in 2026 Get Hands-On SANS Training for Today’s Cyber Defense and Offensive Security Challenges See What’s Really Exposed Across Your IT, OT, IoT, Cloud, and Mobile Assets Get Gartner’s Guide to AI Agent Supervision and Runtime Controls

Indicators of Compromise

  • cve — CVE-2026-15409
  • cve — CVE-2026-15410

Entities

Secure Mobile Access (SMA) 1000 series (product)SonicWall (vendor)Appliance Management Console (AMC) (product)Known Exploited Vulnerabilities (KEV) catalog (product)CISA (vendor)