SonicWall SMA1000 CVSS 10.0 Zero-Day Hits Remote Access Gateways

SonicWall warns of active exploitation of CVE-2026-15409 (CVSS 10.0) and CVE-2026-15410 in SMA1000 appliances. Federal agencies must patch by July 17.
Table of Contents
    Add a header to begin generating the table of contents

    SonicWall confirmed active exploitation of two zero-day vulnerabilities in its SMA1000 series remote access appliances, including a maximum-severity flaw that requires no credentials to exploit. CISA added both CVEs to its Known Exploited Vulnerabilities catalog and set a 48-hour patch-or-disconnect deadline for federal agencies under Binding Operational Directive 26-04.

    SonicWall’s Advisory on CVE-2026-15409 and CVE-2026-15410

    SonicWall’s emergency advisory covers two distinct vulnerabilities in the SMA1000 series — a product line deployed as VPN concentrators and remote access gateways at enterprise network perimeters. The company confirmed active exploitation of both flaws and stated that no workarounds exist. The only remediation path is upgrading to a patched firmware build. SonicWall additionally recommends that administrators review system logs for indicators of compromise and reimage any device where evidence of unauthorized access is found.

    The SMA1000 6210, 7210, and 8200v models are all affected. Devices running platform-hotfix builds from version 12.4.3-03245 through 12.5.0-02800 carry both vulnerabilities. SonicWall released patched versions 12.4.3-03453 and 12.5.0-02835; devices on either the 12.4.x or 12.5.x firmware branch have a direct upgrade path and SonicWall describes the upgrade as warranting “immediate” action.

    How CVE-2026-15409’s Unauthenticated SSRF Enables Remote Exploitation

    CVE-2026-15409 carries a CVSS base score of 10.0, the highest possible rating. The vulnerability is a server-side request forgery flaw in the SMA1000 Workplace interface — the public-facing web portal through which remote employees and contractors connect to the VPN gateway. Because the Workplace interface is designed to be internet-accessible and the vulnerability requires no authentication to trigger, any SMA1000 appliance reachable from the public internet is exposed without any credential barrier.

    SSRF vulnerabilities in network perimeter appliances carry a particular risk profile: the gateway itself holds privileged access to internal network resources. An attacker who forces the appliance to make unauthorized internal requests can use the device’s trusted network position to probe internal services, reach APIs that are otherwise inaccessible from outside the perimeter, or extract configuration data from the appliance that opens further attack paths. In a VPN gateway context, those internal resources include the employee and contractor access infrastructure the appliance is designed to protect.

    CVE-2026-15410: Code Injection in the SMA1000 Management Console

    CVE-2026-15410 (CVSS 7.2) is a code injection vulnerability in the SMA1000 Management Console — the administrative interface rather than the external Workplace portal. Exploitation requires valid administrator credentials, raising the attack threshold significantly compared to CVE-2026-15409. However, an attacker who obtains administrator access — through credential theft, phishing, or information gained via CVE-2026-15409 — can use CVE-2026-15410 to execute arbitrary operating system commands on the appliance, resulting in full device compromise.

    The Management Console’s administrative scope means that a successful CVE-2026-15410 exploit gives an attacker control over VPN configuration, user access policies, and the network routing the appliance performs on behalf of all remote sessions. An attacker operating at this level can modify access control policies, intercept or redirect VPN traffic, and maintain persistence on a device sitting at the boundary between the internet and the internal network.

    Federal Deadline and Recommended Actions Under BOD 26-04

    CISA’s addition of both CVEs to the Known Exploited Vulnerabilities catalog activated remediation requirements for federal civilian executive branch agencies under Binding Operational Directive 26-04. Agencies must apply the available patches or take affected SMA1000 systems offline by July 17, 2026 — a window that reflects CISA’s determination that confirmed active exploitation represents immediate risk to federal infrastructure rather than a future threat.

    Which SMA1000 Models Carry the Vulnerability and the Fixed Builds

    The three affected models — the SMA1000 6210, 7210, and 8200v — span SonicWall’s enterprise and high-end remote access product lines. Administrators should verify the specific firmware build running on each device against the vulnerable range (12.4.3-03245 through 12.5.0-02800) and move to 12.4.3-03453 or 12.5.0-02835 as the minimum acceptable build. SonicWall’s advisory makes no provision for deferred patching or compensating controls.

    The SMA1000 series serves a particularly sensitive role in both federal and commercial enterprise deployments: these appliances handle VPN tunnels for remote workers, contractors, and third-party partners, placing them at the boundary between the public internet and internal networks. Confirmed active exploitation of a CVSS 10.0 flaw on such a device gives an attacker an unauthenticated foothold at the network perimeter. Commercial organizations outside the BOD 26-04 mandate should apply the available patches on the same emergency timeline given the absence of any workaround and the confirmed exploitation status.

    Related Posts