Jessica Entwistle
July 15 2026
SonicWall has issued an urgent security advisory warning that two zero-day vulnerabilities in its Secure Mobile Access (SMA) 1000 series appliances are being actively exploited. The Hacker News reports that CVE-2026-15409, a server-side request forgery flaw with a CVSS score of 10.0, and CVE-2026-15410, a code injection vulnerability, can be chained together by unauthenticated remote attackers to achieve arbitrary command execution with administrative privileges. SonicWall has released patches and is urging all customers using affected appliances to apply updates immediately. The company has confirmed that exploitation is occurring in the wild but has not disclosed the scale, targeting or attribution of the activity.
SMA appliances are commonly used to provide secure remote access for employees, contractors and third parties, meaning they are internet-facing by design and often have privileged access to internal networks, applications and data. A successful exploit of these vulnerabilities would allow an attacker to take full control of the appliance, intercept or manipulate remote access traffic, harvest credentials, deploy malware, and potentially use the device as a pivot point into the wider corporate network. For organisations using SonicWall SMA 1000 devices, this is a critical and time-sensitive issue requiring immediate action. The fact that exploitation is already occurring in the wild means that attackers have working exploit code and are actively scanning for vulnerable devices, which significantly increases the urgency of patching. Remote access appliances are high-value targets because they sit at the boundary between external users and internal resources, and a compromise can provide attackers with a trusted foothold that is difficult to detect.
Organisations using SonicWall SMA 1000 appliances should apply the available patches as a matter of urgency, ideally within the next 24 to 48 hours. If immediate patching is not possible due to change control processes, testing requirements or operational constraints, consider implementing temporary mitigations such as restricting access to the management interface, increasing monitoring and logging, or taking devices offline until updates can be deployed. Review whether remote access appliances are included in regular vulnerability scanning and whether there is a clear process for responding to vendor security advisories affecting internet-facing infrastructure. Check whether logging is enabled on these devices and whether there is sufficient visibility to detect signs of compromise, such as unusual administrative activity, configuration changes or unexpected outbound connections. For organisations that have not yet patched, consider whether there is evidence of compromise, such as unauthorised access, credential harvesting or lateral movement, and ensure that incident response plans are ready to activate if needed.
Source: The Hacker News