Powered by MOMENTUMMEDIA
For breaking news and daily updates, subscribe to our newsletter

Patch now! SonicWall warns of active exploitation of Secure Mobile Access appliances

“Patching is the bare minimum, and breach should be assumed,” says a cyber security expert as hackers target a pair of zero-day vulnerabilities.

Thu, 16 Jul 2026
Patch now! SonicWall warns of active exploitation of Secure Mobile Access appliances

SonicWall has told its customers to immediately apply a hotfix to address a pair of vulnerabilities that are being actively exploited by malicious actors.

The two zero-days – CVE-2026-15409 and CVE-2026-15410 – impact the company’s Secure Mobile Access 1000 series appliances.

CVE-2026-15409 is a server-side request forgery flaw – with a CVSS score of 10 – in the SMA1000 Appliance Work Place interface, while CVE-2026-15410 is a code injection vulnerability in the SMA1000 Appliance Management Console.

 
 

“SonicWall PSIRT has investigated multiple cases indicating the active exploitation of the vulnerabilities described in this advisory,” the company said in a 14 July advisory.

“Customers are strongly urged to upgrade to the hotfix release as soon as possible to remediate these vulnerabilities.”

The vulnerabilities impact SMA1000 models 6210, 7210, and 8200v, and in the following product versions: 12.4.3-03245, 12.4.3-03387, and 12.4.3-03434, as well as 12.5.0-02283, 12.5.0-02624, and 12.5.0-02800.

While there is no workaround, SonicWall recommends the following mitigation strategies:

  • Perform a forensic review for indicators of compromise.
  • Re-image physical appliances or redeploy virtual appliances if compromise is identified.
  • Change user and administrator passwords.
  • Reset TOTP tokens following confirmed compromise.

Cyber security firm Rapid7, which was one of the first to observe the zero-days being exploited, outlined in a recent blog post the kind of activity taking place.

“Prior to SonicWall’s official vulnerability disclosure, our Managed Detection and Response team observed active, targeted exploitation of internet-facing SMA 1000-series appliances. Threat actors were primarily leveraging the perimeter appliance as a stealthy initial access vector, executing commands on the operating system by bypassing traditional input validation controls,” Rapid7’s analysts said.

“Once they established a foothold on the appliance, the actors systematically extracted high-value credentials, active session databases, and time-based one-time password (TOTP) multi-factor authentication (MFA) seed configurations. This local harvesting was designed to ensure long-term, persistent access that could survive standard network-level remediations.”

With those credentials, the threat actors pivoted to lateral movement deeper into the network.

watchTowr CEO and founder Benjamin Harris noted that SonicWall’s disclosure was fuelling a “sense of dread” due to two sobering points: “both were being exploited as zero-days before fixes were available, and together they offer a plausible path to remote code execution from the internet”.

“While it is unclear whether both vulnerabilities are related, given the context, situation, and joint disclosure, and the fact that both are marked as already exploited in the wild, we can all make a fairly educated guess,” Harris told Cyber Daily.

“This is a familiar pattern for SonicWall appliances and Secure by Design pledgees in general. Attackers of every calibre (literally every calibre) continue to target SSLVPN appliances, and the trend is not changing. As always, when something is confirmed as already exploited in the wild, patching is the bare minimum, and breach should be assumed.”

Cyber DailyWant to see more stories from trusted news sources?
Make Cyber Daily a preferred news source on Google.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.