SonicWall SMA Appliances Under Zero-Day Attack Exploiting Critical Flaws
SonicWall is urging customers to patch its Secure Mobile Access (SMA) 1000 Series appliances following active exploitation of two zero-day vulnerabilities, CVE-2026-15409 and CVE-2026-15410.

SonicWall has issued an urgent call to action for its customers, advising them to upgrade firmware on Secure Mobile Access (SMA) 1000 Series appliances due to active exploitation of two critical zero-day vulnerabilities. The flaws, identified as CVE-2026-15409 and CVE-2026-15410, are being exploited in tandem by attackers to compromise these secure remote access gateways.
CVE-2026-15409 is a critical Server-Side Request Forgery (SSRF) vulnerability within the SMA1000 Appliance Work Place interface. This flaw could permit unauthenticated remote attackers to compel the appliance to initiate requests to unintended external locations, potentially exposing internal network resources. The second vulnerability, CVE-2026-15410, is a high-severity code injection flaw affecting the SMA1000 Appliance Management Console. Exploitation of this bug by an authenticated administrator could lead to arbitrary OS command execution and subsequent remote code execution on the affected appliance.
These vulnerabilities impact specific models within the SonicWall SMA 1000 series, including the SMA6210, SMA7210, and the virtual appliance SMA8200v. Affected firmware versions include 12.4.3-03245, 12.4.3-03387, 12.4.3-03434, 12.5.0-02283, 12.5.0-02624, and 12.5.0-02800. SonicWall has released hotfix firmware versions 12.4.3-03453 and 12.5.0-02835 to address these issues.
SonicWall confirmed that these vulnerabilities are being actively exploited in the wild, indicating a significant and immediate threat to organizations relying on these appliances for secure remote access. The company proactively alerted customers before the public release of the security advisory, providing access to hotfixes and offering a script to assist with resolution. A spokesperson emphasized that patching alone is insufficient and urged customers to meticulously review logs for indicators of compromise.
Beyond patching, SonicWall recommends that organizations that suspect compromise should consider re-imaging affected hardware appliances or re-deploying virtual appliances. Furthermore, all user and administrator passwords must be reset, and any configured Time-based One-Time Password (TOTP) tokens should be reset as a precautionary measure. This comprehensive approach is crucial to ensure complete remediation and prevent further unauthorized access.
SonicWall SMA appliances and firewalls are frequently targeted by threat actors, often exploiting zero-day vulnerabilities or leveraging previously disclosed flaws. The active exploitation of these new vulnerabilities underscores the persistent threat landscape and the importance of timely patching and robust security monitoring for critical network infrastructure. The company has credited Adam Babis of SonicWall PSIRT for discovering and reporting these vulnerabilities.