CVE-2026-15409 — SonicWall SMA1000 Appliances Server-Side Request Forgery Vulnerability

CVE-2026-15409

SonicWall SMA1000 — Unauthenticated Work Place SSRF Chained With Admin Code Injection in Zero-Day Attacks

What is SonicWall SMA1000?

The SonicWall SMA1000 series (models including SMA6210, SMA7210, and SMA8200v) is a secure remote-access appliance line used by organizations to provide employees with VPN-less, browser-based access to internal applications — similar in role to Citrix Gateway or Ivanti Connect Secure. Because SMA1000 appliances are deployed at the network perimeter and broker authenticated access into internal systems, they are a high-value target: compromising the appliance itself can expose everything behind it.

Overview

SonicWall SMA1000 appliances contain a critical server-side request forgery (SSRF) vulnerability in the unauthenticated Work Place portal interface. By submitting a request containing an encoded URL, a remote, unauthenticated attacker can force the appliance to issue HTTP requests to attacker-chosen destinations — effectively turning the internet-facing appliance into an open proxy for reaching internal network resources it would otherwise protect.

This flaw was disclosed alongside a companion authenticated code-injection bug in the Appliance Management Console, CVE-2026-15410, and SonicWall's advisory and multiple security researchers confirmed the two are being exploited together in a real-world attack chain: the unauthenticated SSRF is used for initial reach into the appliance, and the code-injection flaw is then used to escalate to full OS command execution with administrative privileges.

Affected Versions

Product Vulnerable Versions Fixed Versions
SonicWall SMA6210 / SMA7210 / SMA8200v 12.4.3-03245, 12.4.3-03387, 12.4.3-03434; 12.5.0-02283, 12.5.0-02624, 12.5.0-02800 12.4.3-03453 or later; 12.5.0-02835 or later

Technical Details

  • Root cause: The Work Place interface accepts an encoded URL parameter and dereferences it server-side without validating that the target is a permitted internal destination (CWE-918: Server-Side Request Forgery).
  • Attack vector: Network, no authentication and no user interaction required (AV:N/AC:L/PR:N/UI:N), with a scope change (S:C) reflecting that the SSRF lets the attacker affect resources beyond the vulnerable component itself. CVSS 3.1 base score: 10.0 (Critical).
  • Attack characteristics: A single crafted HTTP request to the Work Place interface is sufficient — no chaining with other exploits is required to trigger the SSRF itself, though real-world attacks combine it with CVE-2026-15410 for full compromise.
  • Impact: Full confidentiality, integrity, and availability impact once chained with the code-injection flaw, as the attacker can pivot from the SSRF primitive into privileged code execution on the appliance.

Discovery

Reported by Adam Babis of SonicWall's own Product Security Incident Response Team (PSIRT). Volexity researchers Sean Koessel and Steven Adair assisted the investigation, expanding the indicator-of-compromise list after independently observing exploitation.

Exploitation Context

SonicWall's advisory notes "multiple cases indicating active exploitation" as of the July 14, 2026 disclosure. Volexity's involvement suggests the vulnerabilities were caught during incident-response engagements at compromised customers rather than through proactive vendor research. Indicators of compromise include rogue /__api__/login routes appearing in device configuration and suspicious /wsproxy requests in appliance access logs. Shodan, Censys, and Netlas scans show roughly 2,000–4,000 internet-exposed SMA appliances, the majority located in the United States. No specific threat-actor name has been publicly attributed to the campaign.

Remediation

  1. Apply the vendor hotfix immediately — upgrade to platform-hotfix 12.4.3-03453 or 12.5.0-02835 (or later) per SonicWall advisory SNWLID-2026-0008.
  2. Hunt for the published IOCs — review appliance configuration for unexpected /__api__/login routes and scan access logs for anomalous /wsproxy requests.
  3. Restrict internet exposure where possible while patching — limit the Work Place portal and Appliance Management Console to trusted source IPs via firewall rules.
  4. Rotate credentials and session tokens for any SMA1000 appliance suspected of compromise, given the chain's potential for full administrative takeover.
  5. Review CISA and vendor guidance for forensic triage steps before and after patching, in line with BOD 26-04's requirements for internet-exposed assets.

Key Details

PropertyValue
CVE ID CVE-2026-15409
Vendor / Product SonicWall — SMA1000 Appliances
NVD Published2026-07-14
NVD Last Modified2026-07-15
CVSS 3.1 Score10
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-918 find similar ↗
CISA KEV Added2026-07-14
CISA KEV Deadline2026-07-17
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2026-07-17. Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Timeline

DateEvent
2026-07-14SonicWall PSIRT publishes advisory SNWLID-2026-0008; added to CISA KEV the same day
2026-07-17CISA BOD 22-01 remediation deadline