SonicWall has released emergency hotfixes for two vulnerabilities affecting SMA1000 Series secure access appliances. Both vulnerabilities have been exploited in active attacks, and one carries the maximum CVSS score of 10.0.
The vulnerabilities are tracked as:
- CVE-2026-15409: Critical unauthenticated server-side request forgery vulnerability
- CVE-2026-15410: High-severity authenticated code injection vulnerability
Vulnerability Details
CVE-2026-15409: Unauthenticated SSRF
CVE-2026-15409 is a critical (CVSS score of 10.0) server-side request forgery vulnerability in the SMA1000 Appliance Work Place interface.
The vulnerability can be exploited remotely without authentication, user interaction, or elevated privileges. A successful attacker may cause the appliance to send requests to unintended locations.
CVE-2026-15410: Administrative Code Injection
CVE-2026-15410 is a code injection vulnerability affecting the SMA1000 Appliance Management Console.
Under specific conditions, an authenticated attacker with administrator privileges may exploit the vulnerability to execute arbitrary operating system commands on the appliance.
The vulnerability has a CVSS score of 7.2.
Active Exploitation
SonicWall’s Product Security Incident Response Team investigated multiple incidents indicating exploitation of both vulnerabilities before fixes became publicly available. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also added both CVEs to its Known Exploited Vulnerabilities Catalog.
Because exploitation occurred before public disclosure, installing the hotfix alone is not sufficient. Organizations should investigate activity that occurred while their appliances were running vulnerable versions.
Affected Products and Versions
The vulnerabilities affect the following SonicWall SMA1000 products:
- SMA 6210
- SMA 7210
- SMA 8200v
- SMA1000 Central Management Server deployments across supported hypervisors
Affected platform-hotfix versions include:
12.4.3 branch
- 12.4.3-03245
- 12.4.3-03387
- 12.4.3-03434
12.5.0 branch
- 12.5.0-02283
- 12.5.0-02624
- 12.5.0-02800
The following versions contain the fixes:
- 12.4.3-03453 or later
- 12.5.0-02835 or later
The vulnerabilities do not affect the SMA 100 Series or SSL-VPN functionality running on SonicWall firewalls.
Indicators of Compromise
SonicWall recommends reviewing affected appliances for the following indicators.
extraweb_access.log
Look for successful requests to the following unusual endpoints with HTTP status code 200:
- /__api__/login
- /__api__/logout
These endpoints should not exist in a legitimate appliance configuration.
Review requests to:
- /wsproxy
Pay particular attention to requests containing suspicious host parameters that received HTTP status code 101.
ctrl-service.log
Review the log for hotfix removal or rollback activity involving path traversal names.
Appliance configuration
Inspect:
/var/lib/unit/conf.json
The presence of routes for either of the following endpoints indicates potential compromise:
- /__api__/login
- /__api__/logout
Organizations should also examine authentication activity, administrative configuration changes, unexpected outbound connections, newly created accounts, modified routes and other unusual appliance activity during the suspected compromise period.
Mitigation and Incident Response
Organizations using SonicWall SMA1000 appliances should take the following actions:
- Identify all affected appliances.
Review physical, virtual, production, disaster recovery and management server deployments. - Apply the latest platform hotfix immediately.
Upgrade to version 12.4.3-03453, 12.5.0-02835 or a later supported release. - Preserve relevant evidence.
Where operationally possible, retain logs, configuration files, system images and virtual machine snapshots before rebuilding or making significant changes. - Review the published indicators of compromise.
Examine extraweb_access.log, ctrl-service.log and /var/lib/unit/conf.json, along with authentication, network and administrative activity. - Treat identified indicators as evidence of compromise.
SonicWall recommends re-imaging affected physical appliances or redeploying affected virtual appliances rather than relying solely on patching or configuration cleanup. - Rotate credentials.
Change all user and administrator passwords that may have been stored, processed or used through the compromised appliance. - Reset multifactor authentication tokens.
Re-enrol affected users and reset time-based one-time password tokens. - Use clean configuration backups.
SonicWall advises using configuration backups only when they predate the December platform-hotfix versions 12.4.3-03245 and 12.5.0-02283. When no older backup is available, the configuration should be thoroughly audited for unauthorized modifications.
There is no vendor-supported workaround for these vulnerabilities. An affected appliance that cannot be patched should be removed from service or isolated until it can be safely updated and investigated.
Stay Safe. Stay Secure.
OP Innovate Research Team



