ctipilot.ch

SonicWall SMA1000 AMC post-auth code injection (actively exploited)

cve · CVE-2026-15410 single-source

Coverage timeline
1
first 2026-07-14 → last 2026-07-14
Peak priority
high
1 high
Sources cited
1
1 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
1
see Related entities below
ATT&CK techniques
2
pinned v19.1 · see below

Hunting pivots

ATT&CK techniques
Affected products
SonicWall SMA1000

ATT&CK techniques

2 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1190Exploit Public-Facing Application×1

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Evidence: 2026-07-14/sonicwall-sma1000-ssrf-cve-2026-15409-actively-exploited · ATT&CK page ↗

Execution TA0002

T1059Command and Scripting Interpreter×1

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.

Evidence: 2026-07-14/sonicwall-sma1000-ssrf-cve-2026-15409-actively-exploited · ATT&CK page ↗

Story timeline

  1. 2026-07-14CVE-2026-15409 — SonicWall SMA1000: unauthenticated SSRF (CVSS 10.0) chained to post-auth code injection, actively exploited
    trending-vulnerabilitiesSonicWall confirms active exploitation of an unauthenticated SMA1000 SSRF chained to code injection for full appliance takeover

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • psirt.global.sonicwall.com1 (100%)

Co-occurring entities

Derived — referenced by the same focused operational entries (weekly summaries and report roundups don't count); ×N counts the shared entries.

Entries about SonicWall SMA1000 AMC post-auth code injection (actively exploited) (1)

2026-07-14 · view entry permalink →

HIGHCVE-2026-15409 +1exploitedNATOA2

CVE-2026-15409 — SonicWall SMA1000: unauthenticated SSRF (CVSS 10.0) chained to post-auth code injection, actively exploited

SonicWall's PSIRT advisory SNWLID-2026-0008 (first published 2026-07-14) states it has investigated "multiple cases indicating the active exploitation" of two new SMA1000 flaws (SonicWall PSIRT, 2026-07-14); both CVEs carry a same-day CISA KEV listing (recorded in this entry's CVE status, confirmed against the KEV feed). CVE-2026-15409 (CVSS 10.0, CWE-918) is a server-side request forgery in the SMA1000 Work Place interface that lets a remote, unauthenticated attacker force the appliance to issue requests to an attacker-chosen location; the scope-changed CVSS vector (S:C) indicates the SSRF reaches beyond the vulnerable component's own security boundary. CVE-2026-15410 (CVSS 7.2, CWE-94) is a post-authentication code-injection flaw in the SMA1000 Appliance Management Console (AMC) that lets an authenticated administrator-level session run arbitrary OS commands — read together with the pre-auth SSRF, the pair forms a chain from zero access toward root-equivalent appliance control. The affected firmware is SMA1000 6210/7210/8200v on 12.4.3-03245/03387/03434 and 12.5.0-02283/02624/02800; the fix is platform-hotfix 12.4.3-03453 or 12.5.0-02835, and SonicWall explicitly states neither flaw affects SSL-VPN running on SonicWall firewalls or the SMA100 series (SonicWall PSIRT, 2026-07-14).

SonicWall PSIRT has investigated multiple cases indicating the active exploitation of the vulnerabilities described in this advisory. Customers are strongly urged to upgrade to the hotfix release as soon as possible to remediate these vulnerabilities.

A Server-side request forgery (SSRF) vulnerability has been identified in the SMA1000 Appliance Work Place interface. A remote unauthenticated attacker could potentially cause the appliance to make requests to unintended location.

Sean Koessel and Steven Adair of Volexity - helped advance SonicWall's PSIRT investigation, leading to the identification of an additional IOC.

SonicWall PSIRT 2026-07-14
vulnerability14 Jul 20:19Zsingle-sourceOpen finding ↗