DEV Community

Shubham Chaudhary
Shubham Chaudhary

Posted on

SonicWall SMA1000 Zero-Days: Breaking Down CVE-2026-15409 and CVE-2026-15410


SonicWall disclosed two zero-day vulnerabilities in its SMA1000 secure remote access appliances this week — and they're not theoretical. SonicWall has confirmed active exploitation in the wild, and CISA has already added both to its Known Exploited Vulnerabilities catalog.

If you're running SMA 6210, 7210, or 8200v appliances, this is worth your attention today, not next sprint.

The two CVEs

  • CVE-2026-15409 — SSRF vulnerability in the Appliance Work Place interface. CVSS 10.0. No authentication required.
  • CVE-2026-15410 — Post-auth code injection in the Appliance Management Console. CVSS 7.2. Requires admin-level access.

Individually, the second one looks less alarming since it needs admin credentials. But researchers are seeing both exploited together — the SSRF flaw appears to be used to reach internal API surfaces, effectively creating a path toward admin-level control, which then unlocks the code injection bug for full remote code execution.

Why this matters beyond the CVSS number

A CVSS 10.0 score gets attention, but the interesting engineering lesson here is the chaining — two flaws with different individual risk profiles combining into something much worse than either alone. It's a good reminder that vulnerability triage based on a single CVSS score in isolation can miss compound risk.

What to check right now

If you manage these appliances, SonicWall's advisory lists specific log indicators worth hunting for — including unexpected API routes in extraweb_access.log and suspicious /wsproxy requests. No workaround exists outside of patching (hotfix versions 12.4.3-03453 / 12.5.0-02835), and SonicWall recommends a full compromise assessment before treating a vulnerable appliance as "patched and done."

I wrote a full breakdown with the complete attack chain, log-based IOCs, and a step-by-step investigation checklist here:
👉 https://www.xpert4cyber.com/2026/07/sonicwall-sma1000-critical-vulnerability-cvss-10.html

Curious if others here are seeing this actively targeted in their environments, or if your org has already rolled out the hotfix.

Top comments (0)