SonicWall SMA 1000 Zero-Days Exploited As CISA Adds July 17 Patch Deadline

SonicWall confirmed that two SMA 1000 vulnerabilities, CVE-2026-15409 and CVE-2026-15410, are being actively exploited in the wild and can be chained for unauthenticated command execution. CISA added them to BOD 26-04 with a July 17 patch or disconnect deadline for federal agencies.

SonicWall SMA 1000 Zero-Days Exploited As CISA Adds July 17 Patch Deadline

SonicWall on Tuesday urged customers to install emergency hotfixes for two SMA 1000 series vulnerabilities that the company says are already being exploited in zero-day attacks, and which chain together for full unauthenticated remote code execution.

The two bugs

CVE-2026-15409 is a critical server-side request forgery (SSRF) flaw in the SMA 1000 Appliance Work Place interface. Rated CVSS 10.0, it lets a remote, unauthenticated attacker force the appliance to make requests to unintended internal or external destinations. CVE-2026-15410 is a high-severity (CVSS 7.2) post-authentication OS command injection in the SMA 1000 Appliance Management Console reachable by an administrator.

Why the chain matters

SonicWall confirmed that unauthenticated attackers can chain the two bugs — abusing the SSRF to reach the management console and then triggering the command injection — to achieve arbitrary command execution with administrative privileges on the appliance. Affected products include SMA 1000 hardware models 6210 and 7210 and the 8200v virtual appliance. Hotfixes 12.4.3-03453 and 12.5.0-02835 close both holes.

SonicWall corporate logo
SonicWall says it investigated multiple incidents before confirming exploitation.

CISA sets a hard July 17 deadline

The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2026-15409 and CVE-2026-15410 to its Known Exploited Vulnerabilities catalogue, giving federal civilian agencies until Friday, July 17, 2026 to patch or discontinue use of the appliance under Binding Operational Directive 26-04. Multiple government CERTs mirrored the guidance.

Another week of frontier VPN pain

The SMA 1000 disclosure lands the same week Microsoft released its largest-ever Patch Tuesday of 570-plus bugs and Palo Alto Networks pushed a critical fix for PAN-OS bug CVE-2026-0288. Enterprise VPN and remote-access appliances remain by far the most reliably-attacked edge surface for ransomware crews and state actors.

Reporting based on coverage from SonicWall, BleepingComputer, Help Net Security, The Hacker News and SecurityWeek.

Category: Cyber Security

Tags: Security Cybersecurity Zero-Day

Related Articles