Executive Summary

    On July 14th, 2026, SonicWall PSIRT disclosed a critical vulnerability affecting SMA1000 secure remote access appliances. Tracked as CVE-2026-15409, SonicWall confirmed this vulnerability is being actively exploited in the wild and CISA has added it to its Known Exploited Vulnerabilities (KEV) catalog.

    CVE-2026-15409 is a critical server-side request forgery vulnerability in the SMA1000 Workplace web portal that allows a remote, unauthenticated attacker to force the appliance to send requests to an attacker-chosen destination. The vulnerability is being exploited alongside CVE-2026-15410, a code injection flaw in the appliance's Management Console that allows an authenticated administrator to execute arbitrary operating system commands.

    Given active exploitation in the wild, Beazley Security recommends affected organizations apply available fixes immediately and conduct a review for any signs of compromise.

    Affected Systems or Products

    Product

    Affected Versions

    Fixed Versions

    SMA1000 Models (6210, 7210 & 8200v)

    12.4.3-03245, 12.4.3-03387, 12.4.3-03434

    12.4.3-03453 (hotfix)

    SMA1000 Models (6210, 7210 & 8200v)

    12.5.0-02283, 12.5.0-02624, 12.5.0-02800

    12.5.0-02835 (hotfix)

    Mitigations / Workarounds

    Given active exploitation in the wild, Beazley Security strongly recommends organizations apply updates immediately. SonicWall has released hotfixes to remediate these vulnerabilities. Please see the “patches” section for more information.

    • If patching cannot be applied, other mitigations may temporarily reduce risk of exposure:

    • Temporarily limit access to the Workplace interface to trusted, administrative networks

    • Disable or restrict any unnecessary external access to the Management Console

    • Monitor for indicators of attack or compromise. See the “Indicators of Compromise” section in this document for more information.

    Patches

    SonicWall has released hotfix firmware that address both vulnerabilities. Additional details are available in the official SonicWall advisory and fixes are available for download at mysonicwall.com.

    Indicators of Compromise

    SonicWall PSIRT has reportedly investigated multiple cases indicating the active exploitation of these vulnerabilities. No specific threat actor or public PoC have been disclosed, however SonicWall released the following indicators of attack that defenders can review:

    • Requests to /__api__/login or /__api__/logout with HTTP 200 status codes appearing in extraweb_access.log

    • Requests to /wsproxy with suspicious host parameters returning HTTP 101 status codes in extraweb_access.log

    • Hotfix rollbacks with path traversal names appearing in ctrl-service.log

    • Routes for /__api__/login or /__api__/logout present in /var/lib/unit/conf.json (these URIs do not exist in legitimate configuration)

    If IoCs are present on the system, SonicWall strongly encourages customers to reimage appliances, change user and administrative passwords, and reset TOTP tokens.

    Technical Details

    SMA1000 appliances are SSL VPN gateways that provide secure remote access to enterprise networks, making them high-value targets for threat actors seeking an initial foothold. SonicWall remote access products have repeatedly been targeted through both zero-day and previously disclosed vulnerabilities to gain access to victim environments.

    • CVE-2026-15409 is a critical server-side request forgery (SSRF) vulnerability in the SMA1000 Workplace interface. The flaw allows a remote, unauthenticated attacker to cause the appliance to send requests to unintended destinations, potentially attacker-controlled infrastructure. An attacker may also be able to probe internal network segments and reach services that the appliance would normally shield from the outside world.

    • CVE-2026-15410 is a high-severity code injection vulnerability in the SMA1000 Appliance Management Console (AMC). Under specific conditions, a remote attacker with administrative access to the console can exploit the flaw to execute arbitrary operating system commands on the appliance.

    At the time of writing, SonicWall has not publicly disclosed the exploitation techniques or the specific relationship between the two vulnerabilities beyond confirming their use in active attacks. It cannot be discounted that the pre-authentication SSRF vulnerability may be leveraged to target the management console to trigger arbitrary commands and achieve remote code execution on the appliance.

    How Beazley Security is responding

    Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.

    We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

    If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.