What is SonicWall SMA1000?
The SonicWall SMA1000 series (models including SMA6210, SMA7210, and SMA8200v) is a secure remote-access appliance line used by organizations to provide employees with VPN-less, browser-based access to internal applications — similar in role to Citrix Gateway or Ivanti Connect Secure. Because SMA1000 appliances are deployed at the network perimeter and broker authenticated access into internal systems, they are a high-value target: compromising the appliance itself can expose everything behind it.
Overview
SonicWall SMA1000 appliances contain a critical server-side request forgery (SSRF) vulnerability in the unauthenticated Work Place portal interface. By submitting a request containing an encoded URL, a remote, unauthenticated attacker can force the appliance to issue HTTP requests to attacker-chosen destinations — effectively turning the internet-facing appliance into an open proxy for reaching internal network resources it would otherwise protect.
This flaw was disclosed alongside a companion authenticated code-injection bug in the Appliance Management Console, CVE-2026-15410, and SonicWall's advisory and multiple security researchers confirmed the two are being exploited together in a real-world attack chain: the unauthenticated SSRF is used for initial reach into the appliance, and the code-injection flaw is then used to escalate to full OS command execution with administrative privileges.
Affected Versions
| Product | Vulnerable Versions | Fixed Versions |
|---|---|---|
| SonicWall SMA6210 / SMA7210 / SMA8200v | 12.4.3-03245, 12.4.3-03387, 12.4.3-03434; 12.5.0-02283, 12.5.0-02624, 12.5.0-02800 | 12.4.3-03453 or later; 12.5.0-02835 or later |
Technical Details
- Root cause: The Work Place interface accepts an encoded URL parameter and dereferences it server-side without validating that the target is a permitted internal destination (CWE-918: Server-Side Request Forgery).
- Attack vector: Network, no authentication and no user interaction required (
AV:N/AC:L/PR:N/UI:N), with a scope change (S:C) reflecting that the SSRF lets the attacker affect resources beyond the vulnerable component itself. CVSS 3.1 base score: 10.0 (Critical). - Attack characteristics: A single crafted HTTP request to the Work Place interface is sufficient — no chaining with other exploits is required to trigger the SSRF itself, though real-world attacks combine it with CVE-2026-15410 for full compromise.
- Impact: Full confidentiality, integrity, and availability impact once chained with the code-injection flaw, as the attacker can pivot from the SSRF primitive into privileged code execution on the appliance.
Discovery
Reported by Adam Babis of SonicWall's own Product Security Incident Response Team (PSIRT). Volexity researchers Sean Koessel and Steven Adair assisted the investigation, expanding the indicator-of-compromise list after independently observing exploitation.
Exploitation Context
SonicWall's advisory notes "multiple cases indicating active exploitation" as of the July 14, 2026 disclosure. Volexity's involvement suggests the vulnerabilities were caught during incident-response engagements at compromised customers rather than through proactive vendor research. Indicators of compromise include rogue /__api__/login routes appearing in device configuration and suspicious /wsproxy requests in appliance access logs. Shodan, Censys, and Netlas scans show roughly 2,000–4,000 internet-exposed SMA appliances, the majority located in the United States. No specific threat-actor name has been publicly attributed to the campaign.
Remediation
- Apply the vendor hotfix immediately — upgrade to platform-hotfix 12.4.3-03453 or 12.5.0-02835 (or later) per SonicWall advisory SNWLID-2026-0008.
- Hunt for the published IOCs — review appliance configuration for unexpected
/__api__/loginroutes and scan access logs for anomalous/wsproxyrequests. - Restrict internet exposure where possible while patching — limit the Work Place portal and Appliance Management Console to trusted source IPs via firewall rules.
- Rotate credentials and session tokens for any SMA1000 appliance suspected of compromise, given the chain's potential for full administrative takeover.
- Review CISA and vendor guidance for forensic triage steps before and after patching, in line with BOD 26-04's requirements for internet-exposed assets.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2026-15409 |
| Vendor / Product | SonicWall — SMA1000 Appliances |
| NVD Published | 2026-07-14 |
| NVD Last Modified | 2026-07-15 |
| CVSS 3.1 Score | 10 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-918 find similar ↗ |
| CISA KEV Added | 2026-07-14 |
| CISA KEV Deadline | 2026-07-17 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2026-07-14 | SonicWall PSIRT publishes advisory SNWLID-2026-0008; added to CISA KEV the same day |
| 2026-07-17 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2026-15409 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| SonicWall PSIRT Advisory SNWLID-2026-0008 | Vendor Advisory |
| BleepingComputer — SonicWall warns of SMA1000 flaws exploited in zero-day attacks | News |
| The Hacker News — Two SonicWall SMA 1000 zero-days | News |
| Help Net Security — SonicWall SMA attacks via CVE-2026-15409, CVE-2026-15410 | Security Research |
| Cybersecurity Dive — SonicWall SMA 1000 exposure analysis | News |