Breaking: SonicWall SMA1000 CVSS 10.0 Zero-Days Under Active Exploitation — 15 July 2026
SonicWall SMA1000 Zero-Days Under Active Exploitation
Two critical SonicWall SMA1000 vulnerabilities are being exploited in the wild as zero-day attacks, with CISA adding both to its Known Exploited Vulnerabilities catalog on July 14 and setting a three-day remediation deadline of July 17.
CVE-2026-15409 is a CVSS 10.0 server-side request forgery (SSRF) flaw in the SMA1000 Appliance Work Place interface. A remote, unauthenticated attacker can force the appliance to make requests to unintended locations, effectively bypassing authentication boundaries without any credentials. This is the highest possible severity rating.
CVE-2026-15410 is a CVSS 7.2 code injection vulnerability in the SMA1000 Appliance Management Console that allows an authenticated administrator to execute arbitrary operating system commands. While it requires admin privileges, SonicWall assigned the overall advisory a CVSS of 10.0, and the simultaneous exploitation of both vulnerabilities raises the strong possibility of a chain attack: SSRF to gain initial access, then code injection for full system compromise.
SonicWall confirmed active exploitation after investigating multiple incidents. The affected models are SMA1000 6210, 7210, and 8200v running specific hotfix versions of 12.4.3 and 12.5.0. Critically, the SSL-VPN on SonicWall firewalls and the SMA 100 Series are not affected.
Patches are available in platform-hotfix versions 12.4.3-03453 and 12.5.0-02835. There are no workarounds. If compromised, SonicWall advises full re-image of physical appliances or redeployment of virtual ones, plus password and TOTP resets.
CISA's three-day deadline (July 17) under BOD 26-04 is unusually tight, reflecting the severity. Federal agencies must patch or discontinue use.
SonicWall published IOCs including suspicious log entries for /__api__/login, /__api__/logout, and /wsproxy endpoints, plus path traversal indicators in ctrl-service.log and rogue routes in /var/lib/unit/conf.json.
Also added to KEV the same day: two Microsoft zero-days from July Patch Tuesday (CVE-2026-56164 in SharePoint Server, CVE-2026-56155 in ADFS), both confirmed exploited in the wild. SharePoint carries CVSS 7.8; ADFS is lower but still active. Microsoft patched both on Tuesday.
So What / Action
Patch SMA1000 appliances immediately. The CVSS 10.0 SSRF is unauthenticated and actively exploited. If you run SMA1000 models 6210, 7210, or 8200v, treat this as an emergency. Check logs against SonicWall's IOCs before patching. If you find compromise indicators, do not just patch. Re-image, reset all credentials, and assume lateral movement. The chaining potential between these two flaws makes full compromise the likely outcome of a successful attack.
For the Microsoft zero-days, prioritize SharePoint Server (CVE-2026-56164) in your Patch Tuesday cycle. It is already being exploited for privilege escalation on internal networks.
Both sets of vulnerabilities are on CISA's KEV with federal remediation deadlines. Non-federal organisations should treat these as equivalent to their own critical patch windows.

