SonicWall has issued a security warning after confirming the active exploitation of two zero day vulnerabilities affecting its Secure Mobile Access SMA 1000 series appliances. One of the flaws could allow attackers to execute arbitrary operating system commands with administrator privileges under specific conditions, creating a significant security risk for organizations using the affected devices. The company has urged customers to immediately install the latest security updates and investigate their systems for any signs of compromise.
The vulnerabilities have been identified as CVE 2026 15409 and CVE 2026 15410. The first, assigned the maximum CVSS score of 10.0, is a server side request forgery vulnerability that allows a remote unauthenticated attacker to force an affected appliance to send requests to unintended locations. The second vulnerability, with a CVSS score of 7.2, is a post authentication code injection flaw within the Appliance Management Console. Under certain conditions, it can be exploited by a remote authenticated attacker to execute arbitrary operating system commands with administrator privileges. SonicWall said it investigated multiple incidents that confirmed both vulnerabilities are being actively exploited in the wild. To address the issue, the company released security fixes in platform hotfix versions 12.4.3 03453 and later, as well as 12.5.0 02835 and newer releases. In addition to applying the patches, SonicWall advised customers to perform a detailed forensic investigation to determine whether their appliances have been compromised. Administrators should examine log files for suspicious requests involving the login, logout, or wsproxy endpoints, review control service logs for unusual hotfix rollback activity using path traversal names, and inspect the configuration file for unauthorized routes related to login or logout APIs that are not part of legitimate system configurations. If any indicators of compromise are discovered, SonicWall recommends reimaging physical appliances or redeploying virtual appliances, changing all user and administrator passwords, and resetting time based one time password authentication tokens to prevent continued unauthorized access.
The vulnerabilities were discovered and reported by Adam Babis from SonicWall’s Product Security Incident Response Team. SonicWall also credited security researchers Sean Koessel and Steven Adair from Volexity for assisting with the internal investigation and identifying an additional indicator of compromise. Following confirmation of active exploitation, U.S. Cybersecurity and Infrastructure Security Agency added both vulnerabilities to its Known Exploited Vulnerabilities catalog. As a result, Federal Civilian Executive Branch agencies have been instructed to apply the available patches by July 17, 2026, to reduce the risk of further attacks against government systems. The inclusion of the vulnerabilities in the catalog highlights the seriousness of the threat and reinforces the importance of timely patch management for internet facing security appliances.
Additional details released by Rapid7 on July 15, 2026, indicate that attackers have been actively targeting internet facing SMA 1000 appliances since at least late June. According to the cybersecurity company, threat actors are believed to be chaining the two vulnerabilities together to fully compromise vulnerable devices. After gaining access, attackers reportedly executed operating system commands by bypassing traditional input validation controls and harvested valuable credentials, active session databases, and time based one time password multi factor authentication seed configurations to establish persistent access. Rapid7 also observed attackers moving laterally from compromised appliances into internal corporate networks, carrying out unusual Active Directory authentications directly from the appliance without using VPN connections. These authentication attempts targeted core domain controllers and originated from the appliance’s internal IP address while using uncommon workstation names such as “kali” through the integrated LDAP service account. According to Rapid7, this activity demonstrated that the compromised appliance had effectively become an unmonitored backdoor into an organization’s directory infrastructure, allowing attackers to maintain access and continue operations beyond the initial compromise.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.