CVE-2026-15410 and CVE-2026-15409: SonicWall SMA 1000 Zero-Days Exploited in the Wild

CVE-2026-15410 and CVE-2026-15409: SonicWall SMA 1000 Zero-Days Exploited in the Wild

SOC Prime Team
SOC Prime Team linkedin icon Follow

Add to my AI research

SonicWall has patched two actively exploited zero-days affecting SMA 1000 Series secure remote access appliances. The issues are CVE-2026-15409, a critical unauthenticated SSRF flaw in the Workplace interface, and CVE-2026-15410, a post-authentication code injection flaw in the Appliance Management Console that can lead to arbitrary OS command execution as administrator under certain conditions. Public reporting says the vulnerabilities have been exploited together in real attacks against SMA6210, SMA7210, and SMA8200v appliances.

The most important details for CVE-2026-15409 are that it provides the pre-authentication foothold, while CVE-2026-15410 is used after privileged access is obtained to deepen control over the appliance. SonicWall says affected firmware lines include 12.4.3-03245 / 03387 / 03434 and 12.5.0-02283 / 02624 / 02800, with fixes released in 12.4.3-03453+ and 12.5.0-02835+.

CVE-2026-15410 and CVE-2026-15409 analysis

From a tradecraft perspective, the two bugs serve different roles in the intrusion chain. CVE-2026-15409 affects the Appliance Workplace interface and allows a remote unauthenticated attacker to force the device to make requests to unintended locations. CVE-2026-15410 then targets the Appliance Management Console and may allow a remote attacker authenticated as an admin to execute arbitrary operating system commands. In observed attacks, public reporting says the flaws were chained together rather than used in isolation.

The operational impact goes beyond initial appliance compromise. Help Net Security reports that attackers who exploited the flaws extracted high-value credentials, active session databases, and TOTP multi-factor authentication seed configurations, then used the appliance as a stealthy foothold for further movement. The same reporting also cites Rapid7 observations of anomalous, VPN-less Active Directory authentications originating from the compromised SMA appliance’s internal IP address, indicating the device had become an unmonitored backdoor into directory infrastructure.

At the time of reporting, public exploitation maturity was already high. Help Net Security says Rapid7 released a CVE-2026-15409 PoC for exposure validation, while SonicWall and both news reports confirmed in-the-wild exploitation and noted that CISA added the two flaws to its Known Exploited Vulnerabilities catalog.

CVE-2026-15410 and CVE-2026-15409 Mitigation

SonicWall has made clear that patching alone is not enough. The vendor recommends upgrading immediately, but also reviewing appliances for compromise and, if indicators are present, re-imaging physical appliances or redeploying virtual appliances, changing user and administrator passwords, and resetting TOTP tokens. That guidance reflects the fact that attackers may already have established persistence or harvested authentication material before defenders apply the fixed firmware.

Practical CVE-2026-15409 detection should start with SonicWall’s published log and filesystem indicators. The most notable CVE-2026-15409 IOCs in public reporting include requests in extraweb_access.log to /__api__/login or /__api__/logout returning HTTP 200, requests to /wsproxy with suspicious host parameters returning HTTP 101, entries in ctrl-service.log showing hotfix rollbacks with path-traversal-style names, and unexpected /__api__/login or /__api__/logout routes inside /var/lib/unit/conf.json.

To Detect CVE-2026-15409 exposure and post-exploitation activity, defenders should combine firmware validation with forensic review of those artifacts and appliance access patterns. Because SonicWall says the two flaws were actively exploited and not unique to its platform, organizations running internet-facing SMA 1000 devices should treat suspicious access, altered routing entries, or rollback artifacts as potential signs of full appliance compromise rather than simple failed exploit attempts.

CHECK AVAILABLE DETECTIONS

Disclaimer: Detection content may not be available for every CVE. Check the SOC Prime Platform for current coverage. If you don’t find relevant detections now, please check back later.

 

FAQ

What are CVE-2026-15410 and CVE-2026-15409 and how do they work?

CVE-2026-15409 is a critical SSRF flaw in the SonicWall SMA 1000 Workplace interface that can be exploited remotely without authentication to make the appliance send requests to unintended locations. CVE-2026-15410 is a post-authentication code injection flaw in the Appliance Management Console that can allow an authenticated admin-level attacker to execute arbitrary operating system commands. Public reporting says the two bugs have been used together in real attacks.

When were CVE-2026-15410 and CVE-2026-15409 first discovered?

The public reports do not disclose a private discovery date. What is confirmed is that SonicWall publicly disclosed the issues and their fixes in mid-July 2026, and credited Adam Babis of SonicWall PSIRT with discovering and reporting the flaws. SonicWall later also credited Sean Koessel and Steven Adair of Volexity for helping expand the investigation and the IOC list.

What is the impact of CVE-2026-15410 and CVE-2026-15409 on systems?

The combined impact can be severe. Public reporting says exploitation can lead to unauthorized requests from the appliance, arbitrary command execution as administrator, theft of credentials and session data, exposure of TOTP seed configurations, and follow-on movement into internal infrastructure using the compromised appliance as a backdoor.

Can CVE-2026-15410 and CVE-2026-15409 still affect me in 2026?

Yes. Organizations can still be exposed in 2026 if they continue to run affected SMA 1000 firmware versions or if their appliances were compromised before patching and were not forensically reviewed and rebuilt where needed. Both flaws were added to CISA’s KEV catalog, underscoring the urgency.

How can I protect myself from CVE-2026-15410 and CVE-2026-15409?

Upgrade immediately to the fixed SonicWall hotfix versions, review logs and configuration artifacts for the published indicators, and if compromise is suspected, re-image or redeploy the appliance, rotate passwords, and reset TOTP tokens. SonicWall’s own guidance stresses that remediation should include both patching and compromise assessment.

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

More Articles