HispasecJuly 18, 2026🇪🇸Translated from Spanish

SonicWall Issues Emergency Hotfixes After Detecting Active Exploitation of Two Zero-Day Vulnerabilities in SMA1000 Appliances

SonicWall has confirmed the active exploitation of two zero-day vulnerabilities in its SMA1000 series appliances, triggering an emergency response and the rapid release of hotfixes. The company detected real-world intrusions targeting these perimeter devices, which provide remote access to corporate networks, significantly elevating risk for any organization with internet-exposed units.

The first vulnerability, CVE-2026-15409, received a maximum CVSS 10.0 score and involves unauthenticated server-side request forgery (SSRF) in the SMA1000 Appliance Work Place interface. This flaw allows remote attackers to compel the appliance to send requests to unintended internal destinations, serving as a common foothold for pivoting deeper into corporate environments.

The second issue, CVE-2026-15410, carries a CVSS 7.2 rating and affects the SMA1000 Appliance Management Console. It enables authenticated code injection, permitting an administrator to execute operating system commands. In sophisticated attacks, this type of vulnerability is frequently used to establish persistence, alter configurations, or maintain long-term access.

Affected Products and Available Fixes

Impacted models include SMA6210, SMA7210, and SMA8200v. Vulnerable platform versions encompass 12.4.3-03245, 12.4.3-03387, 12.4.3-03434, 12.5.0-02283, 12.5.0-02624, and 12.5.0-02800. SonicWall has released corrected hotfixes 12.4.3-03453 and 12.5.0-02835, along with subsequent updates. No alternative mitigations are considered sufficient; organizations must apply these patches.

Exploitation and Regulatory Response

Attacks observed in the wild may chain both vulnerabilities, although confirmation varies across sources. CISA has added both CVEs to its Known Exploited Vulnerabilities catalog, mandating that U.S. federal agencies apply fixes or decommission affected systems by July 17, 2026. The vulnerabilities do not impact SonicWall SSL VPN firewalls or the SMA 100 Series appliances.

Indicators of Compromise and Recommended Actions

Key indicators of compromise include HTTP 200 responses for /api/login or /api/logout requests in extraweb_access.log, suspicious /wsproxy calls returning HTTP 101, evidence of unauthorized hotfix rollbacks in ctrl-service.log, and anomalous paths in /var/lib/unit/conf.json.

  • Immediately update exposed SMA1000 appliances to versions 12.4.3-03453 or 12.5.0-02835.
  • Inventory all SMA6210, SMA7210, and SMA8200v devices and prioritize those with administrative exposure.
  • Review logs for listed IOCs and preserve evidence for forensic analysis if compromise is suspected.
  • Reimage physical appliances or redeploy virtual instances before returning them to production.
  • Rotate all user and administrator passwords, reset TOTP tokens, and restrict administrative access to management networks or bastions.
  • Implement monitoring for anomalous /wsproxy host parameters and /api/login or /api/logout activity.

Additional details are available from BleepingComputer, Help Net Security, and The Hacker News.