ctipilot.ch
← Back to the live brief
HIGHCVE-2026-15409 +1exploitedNATOA2vulnerability

CVE-2026-15409 — SonicWall SMA1000: unauthenticated SSRF (CVSS 10.0) chained to post-auth code injection, actively exploited

discovered 2026-07-14 20:19 UTCrun 2026-07-14T2009Z-intel1 sourcesingle-source

SonicWall's PSIRT advisory SNWLID-2026-0008 (first published 2026-07-14) states it has investigated "multiple cases indicating the active exploitation" of two new SMA1000 flaws (SonicWall PSIRT, 2026-07-14); both CVEs carry a same-day CISA KEV listing (recorded in this entry's CVE status, confirmed against the KEV feed). CVE-2026-15409 (CVSS 10.0, CWE-918) is a server-side request forgery in the SMA1000 Work Place interface that lets a remote, unauthenticated attacker force the appliance to issue requests to an attacker-chosen location; the scope-changed CVSS vector (S:C) indicates the SSRF reaches beyond the vulnerable component's own security boundary. CVE-2026-15410 (CVSS 7.2, CWE-94) is a post-authentication code-injection flaw in the SMA1000 Appliance Management Console (AMC) that lets an authenticated administrator-level session run arbitrary OS commands — read together with the pre-auth SSRF, the pair forms a chain from zero access toward root-equivalent appliance control. The affected firmware is SMA1000 6210/7210/8200v on 12.4.3-03245/03387/03434 and 12.5.0-02283/02624/02800; the fix is platform-hotfix 12.4.3-03453 or 12.5.0-02835, and SonicWall explicitly states neither flaw affects SSL-VPN running on SonicWall firewalls or the SMA100 series (SonicWall PSIRT, 2026-07-14).

SonicWall PSIRT has investigated multiple cases indicating the active exploitation of the vulnerabilities described in this advisory. Customers are strongly urged to upgrade to the hotfix release as soon as possible to remediate these vulnerabilities.

A Server-side request forgery (SSRF) vulnerability has been identified in the SMA1000 Appliance Work Place interface. A remote unauthenticated attacker could potentially cause the appliance to make requests to unintended location.

Sean Koessel and Steven Adair of Volexity - helped advance SonicWall's PSIRT investigation, leading to the identification of an additional IOC.

SonicWall PSIRT 2026-07-14

Defender actions

  • Upgrade every internet-facing SonicWall SMA1000 (6210/7210/8200v) to platform-hotfix 12.4.3-03453 or 12.5.0-02835 now — active exploitation is vendor-confirmed and both CVEs are KEV-listed; SMA100-series and firewall-hosted SSL-VPN are not affected, so scope the emergency change to SMA1000 only.

ATT&CK mapping

2 techniques mapped from the cited reporting · MITRE ATT&CK v19.1

Initial Access TA0001
T1190Exploit Public-Facing Application

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

overlap matrix · ATT&CK page ↗

Execution TA0002
T1059Command and Scripting Interpreter

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.

overlap matrix · ATT&CK page ↗

PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.