BoletimSecJuly 18, 2026🇵🇹Translated from Portuguese

Cybercriminals Actively Exploiting Critical Zero-Day Vulnerabilities in SonicWall SMA1000 Appliances

Cybercriminals are actively exploiting a critical zero-day vulnerability chain in SonicWall SMA1000 appliances deployed for corporate remote access. The attack allows threat actors to achieve remote code execution and obtain maximum privileges on compromised devices.

The exploitation involves two distinct vulnerabilities. The most severe, CVE-2026-15409, carries a maximum CVSS score of 10.0 and enables an unauthenticated attacker to reach internal services on the appliance. The second flaw, CVE-2026-15410, permits local privilege escalation, completing the attack chain.

Affected devices belong to the SMA1000 Series, specifically models 6210, 7210, and 8200v, running firmware versions including 12.4.3-03434 and 12.5.0-02800. SonicWall has stated that its SSL VPN firewalls and the SMA 100 product line are not impacted by these vulnerabilities.

Researchers have already observed compromised appliances being used as discreet entry points into corporate networks. In multiple incidents, attackers collected credentials, session data, and multi-factor authentication seeds before advancing laterally into Active Directory environments.

Security teams are advised to treat remediation as an emergency. Administrators should immediately update affected appliances to firmware versions 12.4.3-03453, 12.5.0-02835, or later.