SonicWall Rushes to Patch Two Live Attacks on Remote Access Boxes

One of the flaws scores a perfect 10 out of 10 for severity, and attackers are already using both in real intrusions.

ThreatVectr Newsdesk· 3 min read
Full-frame photoreal editorial image of a rack-mounted network security appliance in a dimly lit server room, blue and amber status LEDs glowing, ethernet cable
Share

Key points

  • SonicWall confirmed on active exploitation of two previously unknown flaws in its SMA 1000 remote access appliances.
  • One flaw, CVE-2026-15409, carries the maximum severity score of 10.0 and needs no login to exploit.
  • The second flaw can let an attacker run administrator commands on the device.
  • SMA 1000 appliances sit at the edge of corporate networks and are used by staff to log in remotely.
  • Customers are urged to apply SonicWall's fixes immediately and hunt for signs of intrusion.

SonicWall, a company that sells network security gear, has told customers that criminals are actively breaking into two of its products using flaws the company only just learned about.

The affected kit is the Secure Mobile Access 1000 series, or SMA 1000. Think of it as the digital front door many companies use so employees can log in from home or the road. When that door has a broken lock, the whole building is exposed.

Both flaws are what the industry calls zero-days, meaning software bugs the vendor did not know about until attackers were already using them.

What can the attackers actually do?

They can reach inside the appliance without a password, and in the worst case run their own commands on it as if they were the administrator.

The more serious of the two bugs is tracked as CVE-2026-15409. It scores 10.0 on the industry severity scale, which is as bad as the scale goes. The technical name is server-side request forgery, or SSRF. In plain English, that means an attacker can trick the appliance into making requests on their behalf, reaching internal systems the attacker should never be able to touch from the outside. No username. No password. Just a crafted web request.

The second flaw, according to SonicWall's advisory shared through The Hacker News, can be chained with the first to run arbitrary commands. Once you can run commands on the box that guards remote access, you effectively own the network's front door.

Who is at risk?

Any organisation running an SMA 1000 appliance exposed to the internet. That includes plenty of mid-sized businesses, hospitals, law firms and government offices that rely on these devices for remote work.

SonicWall has not named the victims. The company says the attacks it has seen so far look targeted rather than mass-scale, but that can change fast once details leak. Historically, SonicWall SMA devices have been popular hunting ground for ransomware crews, the criminals who lock up a victim's files and demand payment to unlock them.

What should ordinary customers and staff do?

If your employer uses SonicWall to let you work remotely, expect a forced password reset or a brief outage while IT teams patch. That is a good sign, not a bad one.

For the IT teams themselves, SonicWall's guidance is direct. Apply the fixed firmware straight away. Rotate any credentials that touched the appliance. Check logs for unusual outbound requests from the device, which is the classic footprint of an SSRF attack in progress.

And if the appliance does not need to be reachable from the whole internet, restrict it. A door only strangers can knock on is safer than one the entire world can.

This is the second year running that SonicWall has had to warn customers about live attacks on its remote access line. That pattern matters. Edge devices are where 2025 and 2026's most damaging intrusions have started, and attackers know it.

© 2026 Threat Vectr