SonicWall on Tuesday urged customers to install emergency hotfixes for two SMA 1000 series vulnerabilities that the company says are already being exploited in zero-day attacks, and which chain together for full unauthenticated remote code execution.
The two bugs
CVE-2026-15409 is a critical server-side request forgery (SSRF) flaw in the SMA 1000 Appliance Work Place interface. Rated CVSS 10.0, it lets a remote, unauthenticated attacker force the appliance to make requests to unintended internal or external destinations. CVE-2026-15410 is a high-severity (CVSS 7.2) post-authentication OS command injection in the SMA 1000 Appliance Management Console reachable by an administrator.
Why the chain matters
SonicWall confirmed that unauthenticated attackers can chain the two bugs — abusing the SSRF to reach the management console and then triggering the command injection — to achieve arbitrary command execution with administrative privileges on the appliance. Affected products include SMA 1000 hardware models 6210 and 7210 and the 8200v virtual appliance. Hotfixes 12.4.3-03453 and 12.5.0-02835 close both holes.
CISA sets a hard July 17 deadline
The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2026-15409 and CVE-2026-15410 to its Known Exploited Vulnerabilities catalogue, giving federal civilian agencies until Friday, July 17, 2026 to patch or discontinue use of the appliance under Binding Operational Directive 26-04. Multiple government CERTs mirrored the guidance.
Another week of frontier VPN pain
The SMA 1000 disclosure lands the same week Microsoft released its largest-ever Patch Tuesday of 570-plus bugs and Palo Alto Networks pushed a critical fix for PAN-OS bug CVE-2026-0288. Enterprise VPN and remote-access appliances remain by far the most reliably-attacked edge surface for ransomware crews and state actors.
Reporting based on coverage from SonicWall, BleepingComputer, Help Net Security, The Hacker News and SecurityWeek.