What is SonicWall SMA1000?
The SonicWall SMA1000 series is a secure remote-access appliance line (models SMA6210, SMA7210, SMA8200v) that brokers browser-based, VPN-less access to internal applications for remote employees. As an internet-facing gateway into internal networks, the appliance's own management console is a prime target — full control of it typically means full control over what internal resources remote users, and now attackers, can reach.
Overview
SonicWall SMA1000 appliances contain a code injection vulnerability in the Appliance Management Console that, under specific conditions, allows a remote, authenticated administrator-level attacker to execute arbitrary OS commands. This is the companion bug to CVE-2026-15409, an unauthenticated SSRF in the Work Place portal. SonicWall's advisory and independent researchers confirmed the two are being actively exploited together in a real-world attack chain: attackers use the unauthenticated SSRF to gain initial reach into the appliance, then leverage this code-injection flaw to escalate to full OS command execution with administrative privileges.
Affected Versions
| Product | Vulnerable Versions | Fixed Versions |
|---|---|---|
| SonicWall SMA6210 / SMA7210 / SMA8200v | 12.4.3-03245, 12.4.3-03387, 12.4.3-03434; 12.5.0-02283, 12.5.0-02624, 12.5.0-02800 | 12.4.3-03453 or later; 12.5.0-02835 or later |
Technical Details
- Root cause: The Appliance Management Console fails to adequately neutralize special elements in administrator-supplied input before using it in a command context, allowing arbitrary OS command execution (CWE-94: Improper Control of Generation of Code).
- Attack vector: Network, requiring high privileges (administrator-level authentication) but no user interaction (
AV:N/AC:L/PR:H/UI:N). CVSS 3.1 base score: 7.2 (High). - Attack characteristics: Exploitation requires the attacker to already hold, or have obtained, administrative credentials or session access — which is precisely what CVE-2026-15409's SSRF is used to achieve in the observed attack chain, making the pair far more dangerous together than either flaw alone.
- Impact: Full confidentiality, integrity, and availability impact — arbitrary OS command execution on the appliance itself.
Discovery
Reported by Adam Babis of SonicWall's own Product Security Incident Response Team (PSIRT), alongside CVE-2026-15409. Volexity researchers Sean Koessel and Steven Adair assisted the investigation after observing exploitation at affected organizations.
Exploitation Context
Confirmed exploited in tandem with CVE-2026-15409 in zero-day attacks as of the July 14, 2026 disclosure. SonicWall's advisory cites "multiple cases indicating active exploitation," and Volexity's involvement points to discovery via incident-response work at compromised customers. No specific threat-actor name has been publicly attributed. See CVE-2026-15409 for shared indicators of compromise and exposure data for the SMA1000 line.
Remediation
- Apply the vendor hotfix immediately — upgrade to platform-hotfix 12.4.3-03453 or 12.5.0-02835 (or later) per SonicWall advisory SNWLID-2026-0008, which resolves both this flaw and CVE-2026-15409.
- Audit administrator accounts and sessions on the Appliance Management Console for unauthorized access, given this flaw's reliance on admin-level credentials.
- Review appliance configuration and logs for signs of unauthorized command execution or configuration drift.
- Restrict management console access to trusted management networks only; never expose it directly to the internet.
- Rotate administrative credentials for any appliance suspected of compromise before it is returned to production.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2026-15410 |
| Vendor / Product | SonicWall — SMA1000 Appliances |
| NVD Published | 2026-07-14 |
| NVD Last Modified | 2026-07-15 |
| CVSS 3.1 Score | 7.2 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-94 find similar ↗ |
| CISA KEV Added | 2026-07-14 |
| CISA KEV Deadline | 2026-07-17 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2026-07-14 | SonicWall PSIRT publishes advisory SNWLID-2026-0008; added to CISA KEV the same day |
| 2026-07-17 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2026-15410 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| SonicWall PSIRT Advisory SNWLID-2026-0008 | Vendor Advisory |
| BleepingComputer — SonicWall warns of SMA1000 flaws exploited in zero-day attacks | News |
| SecurityAffairs — Active exploitation of two SMA 1000 zero-days | News |