SonicWall has warned that attackers are actively exploiting two newly disclosed zero-day vulnerabilities in Secure Mobile Access 1000 series appliances. The issue deserves immediate attention because SMA devices are internet-facing remote access gateways, and one of the flaws can allow administrator-level operating system commands under specific conditions.

The two vulnerabilities are tracked as CVE-2026-15409 and CVE-2026-15410. SonicWall has released hotfix builds, and the U.S. Cybersecurity and Infrastructure Security Agency has added both flaws to its Known Exploited Vulnerabilities catalog. For organizations that use SMA 1000 appliances, this should be treated as an incident-response priority rather than a routine maintenance item.

What was disclosed

CVE-2026-15409 is a critical server-side request forgery vulnerability with a CVSS score of 10.0. In practical terms, SSRF can let an unauthenticated remote attacker cause the appliance to make requests to unintended internal or external locations. On a remote access appliance, that can become especially serious because the device often has privileged network placement and may be able to reach services that are not directly exposed to the internet.

CVE-2026-15410 is a post-authentication code injection flaw in the Appliance Management Console. It carries a CVSS score of 7.2 and can allow a remote authenticated attacker to run arbitrary operating system commands as an administrator under certain conditions. Although authentication is required for this second vulnerability, it should not be downplayed. Attackers who first obtain credentials, session access, or another foothold may be able to turn this bug into full control of the appliance.

SonicWall says it has investigated multiple cases suggesting active exploitation. That detail changes the risk calculation: defenders should assume that vulnerable, internet-exposed appliances may already have been probed, and in some cases compromised, before patches were applied.

Affected product and fixed versions

The advisory concerns SonicWall Secure Mobile Access 1000 series appliances. SonicWall has made fixes available in platform hotfix versions 12.4.3-03453 and later, and 12.5.0-02835 and later. Administrators should confirm the exact train running in their environment and install the appropriate fixed build from SonicWall’s supported update channels.

Because remote access gateways sit at the boundary between users and internal systems, patching should be scheduled immediately. If emergency change windows are required, security teams should document the active exploitation notice and the CISA KEV listing as justification for accelerated deployment.

Indicators administrators should review

SonicWall’s guidance includes several forensic checks that administrators can use to look for suspicious activity. Security teams should review extraweb_access.log for requests to /__api__/login or /__api__/logout returning HTTP 200, and for /wsproxy requests with suspicious host parameters returning HTTP 101. They should also inspect ctrl-service.log for hotfix rollback activity involving path traversal-style names.

Another important check is the appliance configuration file at /var/lib/unit/conf.json. Routes for /__api__/login or /__api__/logout in that file are not expected in legitimate configurations, according to the reporting summarized by The Hacker News. Their presence should be treated as a strong warning sign.

These checks should be performed before and after patching. Patching closes the known vulnerability, but it does not automatically remove attacker-created accounts, malicious configuration changes, stolen credentials, or persistence mechanisms.

If indicators are present

If the listed indicators of compromise are found, SonicWall’s recommended response is more aggressive than simply applying the hotfix. Organizations should re-image physical appliances or redeploy virtual appliances, change user and administrator passwords, and reset time-based one-time password tokens.

That guidance is appropriate for a boundary security device. Once an attacker has administrator-level control of a remote access appliance, defenders cannot safely assume that logs, configuration, authentication state, or local files are trustworthy. Treat these appliances as potentially exposed choke points and rebuild them from known-good sources when compromise is suspected.

Incident responders should also preserve evidence before rebuilding where operationally possible. Export relevant logs, capture configuration state, record firmware and hotfix versions, and identify the public exposure window. Those details can help determine whether the attacker used the SMA appliance only as a target, or as a staging point to reach internal systems.

Practical containment steps

Organizations should take the following actions now:

- Inventory all SonicWall SMA 1000 appliances, including virtual instances and disaster-recovery systems.
- Confirm whether each appliance is on a fixed hotfix version.
- Restrict management access to trusted administrative networks and require strong MFA for all administrator accounts.
- Review logs for the SonicWall-published indicators and preserve suspicious evidence.
- Rotate administrator and user credentials if compromise cannot be ruled out.
- Reset TOTP tokens where indicators are present or where account integrity is uncertain.
- Monitor VPN and remote access authentication for unusual source locations, impossible travel, and newly created privileged accounts.
- Review internal systems that are reachable from the SMA appliance for follow-on activity.

Why this matters beyond SonicWall

This incident is another reminder that secure access appliances are high-value targets. VPNs, zero trust gateways, and remote management portals are often hardened, but they are also exposed by design. When vulnerabilities emerge in these systems, attackers get a direct opportunity to bypass perimeter assumptions and move closer to sensitive applications.

Defenders should ensure that remote access infrastructure is covered by the same detection and response rigor as endpoints and cloud workloads. That includes centralized logging, configuration backup, administrative access restrictions, tested rebuild procedures, and a clear process for emergency patching.

For now, the key message is simple: identify affected SonicWall SMA 1000 appliances, apply the fixed hotfix builds, and investigate for evidence of exploitation. Where indicators appear, rebuild rather than merely repair.

Source: The Hacker News source