Threat Intelligence
A Zero-Day Pair on SonicWall SMA 1000 That Demands Immediate Action
We track vulnerabilities in the Adversary Operations Group that have a clear exploitation path and no viable workaround. This pair on the SonicWall SMA 1000 is both. SonicWall confirmed on July 15 that attackers are actively exploiting two zero-days in the Secure Mobile Access 1000 series appliances. One is a perfect 10.0 CVSS score.
CISA added both to the Known Exploited Vulnerabilities catalog within 24 hours.
Summary of the Vulnerabilities
CVE-2026-15409: CVSS 10.0 Server-Side Request Forgery. An unauthenticated remote attacker sends crafted requests to the SMA 1000 web interface, and the appliance forwards them to arbitrary destinations. No credentials. No user interaction needed. CVSS 10.0 is the maximum severity the system allows. The SSRF turns the SMA 1000 into a proxy for hitting internal networks, cloud metadata endpoints, or any other system the appliance can reach. In a properly segmented environment, that is bad. In practice, the SMA 1000 sits in a DMZ with access to internal resources. That is the design of an SSL VPN appliance.
CVE-2026-15410: Post-Auth Code Injection in AMC (CVSS 7.2). This one requires authentication to the Appliance Management Console in order to be exploited. The bar is lower than it sounds because the SSRF above can supply the access needed to reach that session. The code injection flaw lets a remote authenticated attacker execute arbitrary OS commands with administrative privileges.
Two vulnerabilities that chain: One to get in, one to take full control.
Affected Versions
SMA 1000 series prior to 12.4.3-03453 (platform-hotfix) and 12.5.0-02835 (platform-hotfix). Patches exist, but there is no workaround. If you run SMA 1000 and have not applied these builds, you are exposed.
Discovery, Attribution, and CISA KEV
SonicWall credits Adam Babis from its PSIRT team for discovering both flaws. Sean Koessel and Steven Adair from Volexity, an incident response firm, contributed to the active exploitation investigation. Their involvement means real compromises occurred before the advisory went public.
CISA added both to KEV on July 14. FCEB agencies must remediate by July 17. Three days is consistent with the accelerated timeline for vulnerabilities under active attack.
Remediation
If you find IOCs, re-image the appliance.
SonicWall’s guidance goes beyond patch-and-pray. If indicators of compromise are present, the instruction is to re-image physical appliances or redeploy virtual ones entirely. Then change every user and administrator password and reset time-based one-time password tokens.
The indicators to check:
- extraweb_access.log: requests to /api/login or /api/logout returning HTTP 200. These URIs do not exist in legitimate SMA 1000 configurations.
- extraweb_access.log: requests to /wsproxy with suspicious host parameters returning HTTP 101 (switching protocols). WebSocket proxy abuse.
- ctrl-service.log: hotfix rollback entries with path traversal naming patterns. Attackers roll back security patches to maintain access.
- /var/lib/unit/conf.json: route definitions for /api/login or /api/logout. Clean installs have none of these routes.
The Bottom Line
Two zero-days have been exploited in the wild against SonicWall SMA 1000. Patches exist. The CISA deadline is July 17. If you find IOCs, do not just patch. Re-image the appliance, rotate every credential, and reset TOTP tokens.
Treat any SMA 1000 that has been internet-connected since June 2026 as compromised until you prove otherwise.