SonicWall says two SMA1000 flaws are being used in live attacks
One bug scores a perfect 10 on the severity scale. Federal agencies have until July 17, 2026 to patch or pull the plug.

Key points
- SonicWall confirmed on its advisory that two flaws in its SMA1000 remote-access appliances, tracked as CVE-2026-15409 and CVE-2026-15410, are being exploited by hackers right now.
- CVE-2026-15409 scores the maximum 10.0 on the industry severity scale and lets an unauthenticated attacker abuse the device from the internet.
- Affected models are the SMA1000 6210, 7210, and 8200v; fixes ship in platform-hotfix 12.4.3-03453 and 12.5.0-02835.
- The U.S. Cybersecurity and Infrastructure Security Agency added both bugs to its Known Exploited Vulnerabilities list, giving federal agencies until July 17, 2026 to patch.
- SonicWall says there is no workaround. Only the hotfix stops the attack.
SonicWall has told customers that criminals are actively breaking into its SMA1000 appliances, the boxes many companies use to give remote workers a secure door into the corporate network.
Two separate flaws are in play. Both were unknown to SonicWall until attacks were already under way, which makes them zero-days: bugs the vendor had no patch for when the exploitation started.
The first, CVE-2026-15409, sits in the appliance's web-based Work Place interface. It is a server-side request forgery flaw, which is a trick that makes the device fetch things on the attacker's behalf from places it should not touch. No login is needed. SonicWall rates it a perfect 10.0 out of 10 on the standard severity scale.
The second, CVE-2026-15410, lives in the Appliance Management Console. It lets an attacker who is already signed in as an administrator run their own commands on the underlying operating system. On its own it scores 7.2, but SonicWall marked the overall advisory as 10.0, hinting the two bugs may be useful together.
The company has not confirmed whether the attackers are chaining them. BleepingComputer first reported the advisory and has asked SonicWall to clarify.
Who is affected?
Owners of SonicWall SMA1000 models 6210, 7210, and 8200v running any of these platform-hotfix builds: 12.4.3-03245, 12.4.3-03387, 12.4.3-03434, 12.5.0-02283, 12.5.0-02624, or 12.5.0-02800.
SonicWall says the flaws do not affect SSL-VPN on its firewalls or the smaller SMA 100 Series. If you run one of those, you can breathe out.
Everyone else needs to move to hotfix 12.4.3-03453 or 12.5.0-02835, or a later release. There is no toggle, config change, or firewall rule that blunts the attack. The patch is the fix.
How do you know if you were hit?
SonicWall published a short list of tell-tale traces on the device. Administrators should check for:
- Requests to
/__api__/loginor/__api__/logoutinextraweb_access.logthat returned HTTP 200. - Requests to
/wsproxyin the same log with odd host parameters and a 101 status. - Hotfix rollbacks in
ctrl-service.logwith path-traversal style filenames. - Routes for
/__api__/loginor/__api__/logoutinside/var/lib/unit/conf.json, which a clean box should never contain.
If any of those show up, SonicWall's advice is blunt. Wipe the appliance and rebuild it, or redeploy the virtual version from scratch. Then reset every user and administrator password, and issue new time-based one-time-password tokens (the six-digit codes staff generate on their phones).
CISA has added both flaws to its Known Exploited Vulnerabilities catalog. Under Binding Operational Directive 26-04, federal civilian agencies must patch by July 17, 2026 or stop using the product. Private companies are not bound by that deadline, but the list is a strong signal that these are not theoretical bugs.
SonicWall's Product Security Incident Response Team says it has already investigated multiple confirmed intrusions. Neither the victims nor the attacker groups have been named.



