Security advisories

SonicWall Discloses Two Zero-Day Vulnerabilities (CVE-2026-15409, CVE-2026-15410)

July 15, 2026

4 MINS READ

THE THREAT

On July 14th, 2026, SonicWall disclosed two zero-day vulnerabilities impacting its Secure Mobile Access (SMA) 1000 series firewalls. The first vulnerability is CVE-2026-15409 (CVSS: 10), a Server-Side Request Forgery vulnerability in the SMA1000 Appliance Work Place interface that can allow an unauthenticated remote attacker to cause the appliance to make requests to unintended locations. The second is CVE-2026-15410 (CVSS: 7.2), a post-authenticated code injection flaw within SMA1000 Appliance Management Console (AMC) that could enable a remote authenticated attacker to execute arbitrary OS commands.

SonicWall has confirmed that patches have been released to address the flaws. SonicWall stated that they are aware of "multiple cases" indicating active exploitation of the vulnerabilities, suggesting that they may have been chained together within attacks. Due to reports of ongoing exploitation, organizations should ensure that relevant patches are applied as soon as possible.

What we're doing about it

What you should do about it

Additional information

Although SonicWall stated that exploitation of the vulnerabilities has been identified, no details were provided on the nature of the attacks. The information provided within the advisory suggests that the flaws could potentially be chained together, providing an unauthenticated attacker with access to impacted devices, enabling Remote Code Execution (RCE), but this is not confirmed. SonicWall credited the cybersecurity firm Volexity with assisting in the investigation; at the time of writing, Volexity has not provided any additional information, but may publish a report containing further information in the future.

Currently, technical details on the flaws are also limited, and there are no reports of publicly available Proof-of-Concept (PoC) exploit code. The release of PoC exploit code has been known to signal potential widespread exploitation of a flaw, as it significantly lowers the bar for threat actors to operationalize within attacks. Organizations that utilize SonicWall SMA1000 series firewalls within their environment should ensure that patches are applied as soon as possible. Organizations should also perform a review of the logs outlined by SonicWall within their advisory and look for any signs of possible exploitation. If found, impacted firewalls should be reimaged or redeployed, and credentials should be revoked.

Both vulnerabilities were added to CISA's Known Exploited Vulnerabilities (KEV) catalog on July 14th, and a deadline of July 17th was given for Federal Civilian Executive Branch (FCEB) agencies to apply patches.

Impacted Product List
Product Affected Version(s) Fixed Version(s)
SMA1000 Models – 6210, 7210, 8200v 12.4.3-03245, 12.4.3-03387 and 12.4.3-03434 12.4.3-03453 (platform-hotfix) and higher
12.5.0-02283, 12.5.0-02624 and 12.5.0-02800 12.5.0-02835 (platform-hotfix) and higher

References:
[1] https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0008
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-15409
[3] https://nvd.nist.gov/vuln/detail/CVE-2026-15410
[4] https://nucleussec.com/blog/public-poc-exploits-clear-signal-defensive-action/
[5] https://www.cisa.gov/news-events/alerts/2026/07/14/cisa-adds-four-known-exploited-vulnerabilities-catalog

Back to Security Advisories

Speak With A Security Expert Now

TALK TO AN EXPERT
View Most Recent Advisories