CVE-2026-15410 — SonicWall SMA1000 Appliances Code Injection Vulnerability

CVE-2026-15410

SonicWall SMA1000 — Authenticated Code Injection Chained With SSRF for Full Appliance Takeover

What is SonicWall SMA1000?

The SonicWall SMA1000 series is a secure remote-access appliance line (models SMA6210, SMA7210, SMA8200v) that brokers browser-based, VPN-less access to internal applications for remote employees. As an internet-facing gateway into internal networks, the appliance's own management console is a prime target — full control of it typically means full control over what internal resources remote users, and now attackers, can reach.

Overview

SonicWall SMA1000 appliances contain a code injection vulnerability in the Appliance Management Console that, under specific conditions, allows a remote, authenticated administrator-level attacker to execute arbitrary OS commands. This is the companion bug to CVE-2026-15409, an unauthenticated SSRF in the Work Place portal. SonicWall's advisory and independent researchers confirmed the two are being actively exploited together in a real-world attack chain: attackers use the unauthenticated SSRF to gain initial reach into the appliance, then leverage this code-injection flaw to escalate to full OS command execution with administrative privileges.

Affected Versions

Product Vulnerable Versions Fixed Versions
SonicWall SMA6210 / SMA7210 / SMA8200v 12.4.3-03245, 12.4.3-03387, 12.4.3-03434; 12.5.0-02283, 12.5.0-02624, 12.5.0-02800 12.4.3-03453 or later; 12.5.0-02835 or later

Technical Details

  • Root cause: The Appliance Management Console fails to adequately neutralize special elements in administrator-supplied input before using it in a command context, allowing arbitrary OS command execution (CWE-94: Improper Control of Generation of Code).
  • Attack vector: Network, requiring high privileges (administrator-level authentication) but no user interaction (AV:N/AC:L/PR:H/UI:N). CVSS 3.1 base score: 7.2 (High).
  • Attack characteristics: Exploitation requires the attacker to already hold, or have obtained, administrative credentials or session access — which is precisely what CVE-2026-15409's SSRF is used to achieve in the observed attack chain, making the pair far more dangerous together than either flaw alone.
  • Impact: Full confidentiality, integrity, and availability impact — arbitrary OS command execution on the appliance itself.

Discovery

Reported by Adam Babis of SonicWall's own Product Security Incident Response Team (PSIRT), alongside CVE-2026-15409. Volexity researchers Sean Koessel and Steven Adair assisted the investigation after observing exploitation at affected organizations.

Exploitation Context

Confirmed exploited in tandem with CVE-2026-15409 in zero-day attacks as of the July 14, 2026 disclosure. SonicWall's advisory cites "multiple cases indicating active exploitation," and Volexity's involvement points to discovery via incident-response work at compromised customers. No specific threat-actor name has been publicly attributed. See CVE-2026-15409 for shared indicators of compromise and exposure data for the SMA1000 line.

Remediation

  1. Apply the vendor hotfix immediately — upgrade to platform-hotfix 12.4.3-03453 or 12.5.0-02835 (or later) per SonicWall advisory SNWLID-2026-0008, which resolves both this flaw and CVE-2026-15409.
  2. Audit administrator accounts and sessions on the Appliance Management Console for unauthorized access, given this flaw's reliance on admin-level credentials.
  3. Review appliance configuration and logs for signs of unauthorized command execution or configuration drift.
  4. Restrict management console access to trusted management networks only; never expose it directly to the internet.
  5. Rotate administrative credentials for any appliance suspected of compromise before it is returned to production.

Key Details

PropertyValue
CVE ID CVE-2026-15410
Vendor / Product SonicWall — SMA1000 Appliances
NVD Published2026-07-14
NVD Last Modified2026-07-15
CVSS 3.1 Score7.2
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-94 find similar ↗
CISA KEV Added2026-07-14
CISA KEV Deadline2026-07-17
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2026-07-17. Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Timeline

DateEvent
2026-07-14SonicWall PSIRT publishes advisory SNWLID-2026-0008; added to CISA KEV the same day
2026-07-17CISA BOD 22-01 remediation deadline