Overview
SonicWall has issued an urgent advisory warning of active exploitation of two zero‑day vulnerabilities in its Secure Mobile Access (SMA) 1000 series appliances. One of these flaws carries a CVSS score of 10.0 and could allow attackers to execute arbitrary commands with administrator privileges.
The Vulnerabilities
- CVE‑2026‑15409 (CVSS 10.0)
- Server‑Side Request Forgery (SSRF).
- Exploitable by remote unauthenticated attackers.
- Could force the appliance to make requests to unintended locations.
- CVE‑2026‑15410 (CVSS 7.2)
- Post‑authentication code injection in the Appliance Management Console (AMC).
- Exploitable by authenticated attackers.
- Could enable arbitrary OS command execution as administrator under certain conditions.
Active Exploitation & Indicators of Compromise (IoCs)
SonicWall confirmed multiple cases of exploitation and urges immediate patching. Indicators of compromise include:
- extraweb_access.log entries with
/__api__/loginor/__api__/logoutshowing HTTP 200 status. - Requests to
/wsproxywith suspicious host parameters and HTTP 101 status. - ctrl‑service.log entries showing hotfix rollbacks with path traversal names.
- conf.json containing routes for
/__api__/loginor/__api__/logout(not legitimate).
If these IoCs are present, SonicWall advises:
- Re‑image physical appliances or redeploy virtual appliances.
- Reset all passwords for users and administrators.
- Reset time‑based one‑time password tokens.
Patches & Mitigation
Fixed versions include:
- 12.4.3‑03453 (platform‑hotfix) and higher.
- 12.5.0‑02835 (platform‑hotfix) and higher.
Organizations should apply patches immediately and conduct forensic analysis to confirm whether exploitation has occurred.
CISA Response
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, mandating Federal Civilian Executive Branch (FCEB) agencies to patch by July 17, 2026.
Expert in the Cloud Insight
These SonicWall zero‑days highlight the critical risk posed by remote access appliances, which sit at the edge of enterprise networks and are prime targets for attackers. The combination of an unauthenticated SSRF and a post‑auth code injection makes this campaign particularly dangerous, enabling both initial access and privilege escalation.
For defenders, the lesson is clear: patch immediately, monitor logs for IoCs, and treat remote access gateways as high‑value assets requiring continuous hardening and forensic readiness.
Leave a Reply