Security researchers have identified two critical vulnerabilities, CVE-2026-15409 and CVE-2026-15410, affecting SonicWall SMA1000 Series appliances. The flaws are already being exploited in the wild, prompting urgent warnings from SonicWall and CISA. Successful exploitation could result in Remote Code Execution, bypass of security restrictions, and broader compromise of affected systems.
The vulnerabilities impact SonicWall SMA1000 models 6210, 7210, and 8200v running versions 12.4.3-03245, 12.4.3-03387, 12.4.3-03434 (platform-hotfix), 12.5.0-02283, 12.5.0-02624, and 12.5.0-02800 (platform-hotfix).
CVE-2026-15409 and CVE-2026-15410 Explained
CVE-2026-15409 is a server-side request forgery (SSRF) vulnerability in the SMA1000 Appliance Work Place interface. According to SonicWall, an unauthenticated remote attacker could force the appliance to send requests to unintended locations. The flaw carries a CVSS v3 score of 10.0 with the vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H and is mapped to CWE-918.
CVE-2026-15410 is a post-authentication code injection vulnerability in the SMA1000 Appliance Management Console (AMC). Under specific conditions, a remote authenticated attacker with administrator privileges could execute arbitrary operating system commands, enabling Remote Code Execution. The vulnerability has a CVSS score of 7.2, uses the vector CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, and is associated with CWE-94.
Active Exploitation and Impact
SonicWall confirmed that CVE-2026-15409 and CVE-2026-15410 are being actively exploited. The advisory states, “SonicWall PSIRT has investigated multiple cases indicating the active exploitation of the vulnerabilities described in this advisory. Customers are strongly urged to upgrade to the hotfix release as soon as possible to remediate these vulnerabilities.”
The vulnerabilities may allow Remote Code Execution and bypass of security restrictions, increasing the risk of unauthorized system access.

Fixed Versions and Detection Guidance
SonicWall has released fixes in 12.4.3-03453 (platform-hotfix) and later, and 12.5.0-02835 (platform-hotfix) and later. The company noted that these issues do not affect SSL-VPN running on SonicWall firewalls or the SMA 100 Series product line.
Administrators are advised to inspect extraweb_access.log for HTTP 200 requests to /api/login or /api/logout, suspicious /wsproxy requests returning HTTP 101, ctrl-service.log entries indicating hotfix rollbacks with path traversal names, and unauthorized /api/login or /api/logout routes in /var/lib/unit/conf.json.
If indicators of compromise are found, SonicWall recommends re-imaging hardware appliances or redeploying virtual appliances, changing user and administrator passwords, and resetting TOTP tokens after performing a forensic investigation.
The advisory, SNWLID-2026-0008, was first published and last updated on July 14, 2026. The vulnerabilities were internally discovered by Adam Babis of SonicWall PSIRT, while Sean Koessel and Steven Adair of Volexity were credited in Version 1.1 for helping identify an additional indicator of compromise during the investigation. On the same day, CISA added the vulnerabilities to its Known Exploited Vulnerabilities Catalog.

