Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

SonicWall SMA 1000 Zero-Day Vulnerabilities: A Critical Threat to Enterprise Security


SonicWall SMA 1000 Zero-Day Vulnerabilities: A Critical Threat to Enterprise Security. Two zero-day vulnerabilities impacting SonicWall SMA 1000 appliances could enable arbitrary command execution, prompting organizations to take immediate action to protect themselves from these critical threats.

  • SonicWall has alerted its customers and the cybersecurity community about two zero-day vulnerabilities in its Secure Mobile Access (SMA) 1000 series appliances, which could enable arbitrary command execution.
  • The first vulnerability (CVE-2026-15409) is a server-side request forgery (SSRF) issue that allows remote unauthenticated attackers to make requests to unintended locations.
  • The second vulnerability (CVE-2026-15410) is a post-authentication code injection issue that could allow remote authenticated attackers to execute arbitrary operating system commands as administrator.
  • SonicWall has stated that it has investigated active exploitation of the vulnerabilities and recommends applying available patches, re-imaging or redeploying affected appliances, and changing user and administrator passwords.
  • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the two flaws to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by July 17, 2026.



  • SonicWall has recently alerted its customers and the cybersecurity community about active exploitation of two zero-day vulnerabilities impacting its Secure Mobile Access (SMA) 1000 series appliances, one of which could enable arbitrary command execution. The discovery of these vulnerabilities highlights a critical threat to enterprise security and underscores the importance of timely patching and vigilance in the face of rapidly evolving threats.

    The first vulnerability, CVE-2026-15409, is classified as a server-side request forgery (SSRF) issue that allows a remote unauthenticated attacker to potentially cause the appliance to make requests to an unintended location. This could have far-reaching consequences for organizations that rely on SonicWall SMA 1000 appliances for secure mobile access.

    The second vulnerability, CVE-2026-15410, is categorized as a post-authentication code injection issue rooted in the Appliance Management Console (AMC). A remote authenticated attacker could exploit this flaw to execute arbitrary operating system commands as administrator under certain conditions. This level of privilege escalation poses an extremely significant risk to the security and integrity of SonicWall SMA 1000 appliances.

    SonicWall has stated that it has "investigated multiple cases indicating the active exploitation of the vulnerabilities," emphasizing the urgent need for customers to apply the available patches as soon as possible. The patches are currently available in versions 12.4.3-03453 (platform-hotfix) and higher, as well as version 12.5.0-02835 (platform-hotfix) and higher.

    To determine if any indicators of compromise (IoCs) associated with exploitation are present on the system, users can perform a thorough forensic analysis of the appliance's logs. Certain indicators include:

    1. Requests to /__api__/login or /__api__/logout with HTTP 200 status in extraweb_access.log.
    2. Requests to /wsproxy with suspicious host parameters and HTTP 101 status in ctrl-service.log.
    3. Hotfix rollbacks with path traversal names in ctrl-service.log.
    4. Presence of routes for /__api__/login or /__api__/logout in /var/lib/unit/conf.json.

    If any of these indicators are found, it is strongly recommended to re-image physical appliances or redeploy virtual appliances, change user and administrator passwords, and reset time-based one-time password tokens as a precautionary measure. Furthermore, Adam Babis of SonicWall's product security incident response team (PSIRT) has been credited with discovering and reporting the flaws, while Volexity’s Sean Koessel and Steven Adair contributed to the internal investigation by identifying an additional IoC.

    The development of these zero-day vulnerabilities has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the two flaws to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by July 17, 2026.

    In light of these critical vulnerabilities, it is essential for organizations that rely on SonicWall SMA 1000 appliances for secure mobile access to take immediate action. This may involve re-imagining physical appliances or redeploying virtual appliances, changing user and administrator passwords, resetting time-based one-time password tokens, and ensuring timely patching of the affected versions.

    In addition to these immediate steps, it is also crucial for organizations to develop a comprehensive incident response plan that includes strategies for detecting and mitigating zero-day vulnerabilities. This may involve implementing robust security monitoring systems, conducting regular vulnerability assessments, and providing ongoing training for IT staff on incident response procedures.

    In conclusion, the exploitation of two SonicWall SMA 1000 zero-day vulnerabilities highlights a critical threat to enterprise security. Organizations must take immediate action to protect themselves from these threats by applying available patches, re-imaging or redeploying affected appliances, changing user and administrator passwords, resetting time-based one-time password tokens, and developing comprehensive incident response plans.

    SonicWall SMA 1000 Zero-Day Vulnerabilities: A Critical Threat to Enterprise Security. Two zero-day vulnerabilities impacting SonicWall SMA 1000 appliances could enable arbitrary command execution, prompting organizations to take immediate action to protect themselves from these critical threats.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/SonicWall-SMA-1000-Zero-Day-Vulnerabilities-A-Critical-Threat-to-Enterprise-Security-ehn.shtml

  • https://thehackernews.com/2026/07/two-sonicwall-sma-1000-zero-days.html

  • https://getlifeinfo.com/two-sonicwall-sma-1000-zero-days-exploited-one-could-enable-admin-commands/

  • https://nvd.nist.gov/vuln/detail/CVE-2026-15409

  • https://www.cvedetails.com/cve/CVE-2026-15409/

  • https://nvd.nist.gov/vuln/detail/CVE-2026-15410

  • https://www.cvedetails.com/cve/CVE-2026-15410/


  • Published: Wed Jul 15 02:38:14 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us