SonicWall SMA1000 CVE-2026-15409 RCE: Patch by July 17

SonicWall SMA1000 CVE-2026-15409 RCE

SonicWall confirmed that the SonicWall SMA1000 CVE-2026-15409 RCE chain is being actively exploited: an unauthenticated attacker can force a target appliance into arbitrary requests, then pivot to full administrator-level command execution — no valid login required at any point. CISA added both flaws to its Known Exploited Vulnerabilities catalog, with a federal remediation deadline of July 17, 2026.

What Happened

SonicWall’s own product notice, published and last updated July 14, 2026, confirms two vulnerabilities in its SMA1000 Secure Mobile Access appliances (models 6210, 7210, 8200v, and CMS across all supported hypervisors) are being exploited in the wild. CVE-2026-15409 (CVSS 10.0, Critical) is a server-side request forgery in the Appliance Work Place interface that lets a remote, unauthenticated attacker force the appliance to issue requests to unintended internal locations. CVE-2026-15410 (CVSS 7.2, High) — which SonicWall classifies as Remote Code Execution — is a post-authentication flaw in the Management Console that lets an authenticated administrator session execute arbitrary operating-system commands. Chained together, the SonicWall SMA1000 CVE-2026-15409 RCE path gives an unauthenticated attacker administrator-level command execution on the appliance. Affected firmware: 12.4.3 builds 03245/03387/03434 and 12.5.0 builds 02283/02624/02800.

Why It Matters

SMA1000 appliances sit at the front door of an organization’s remote-access infrastructure — the exact function this flaw turns against its owner. This is the second SonicWall product line DIESEC has covered exploited in 2026, after the Gen6 firewall SSL-VPN MFA bypass in May, and the tenth distinct edge-device product line in this year’s exploitation arc overall. For DACH Mittelstand and MSP-managed environments where SMA1000 provides contractor or home-office VPN access, an unauthenticated RCE chain means the appliance itself — not a stolen credential — is the initial access vector, which changes what an incident response plan needs to check first.

What You Should Do Now

  1. Upgrade all SMA1000 appliances (hardware and virtual) to hotfix 12.4.3-03453 or 12.5.0-02835 or later immediately via MySonicWall.
  2. Before assuming patching alone is sufficient: perform a forensic review for SonicWall’s published indicators of compromise — suspicious 200-status requests to /__api__/login or /__api__/logout in extraweb_access.log, unusual host parameters on /wsproxy requests, “hotfix removal” path-traversal entries in ctrl-service.log, and unexpected login/logout routes planted in /var/lib/unit/conf.json.
  3. If any indicator of compromise is present, do not simply patch and move on: re-image hardware appliances or redeploy virtual ones, rotate every user and administrator password, and reset all TOTP tokens.
  4. Only restore from a configuration backup if it predates the December hotfix builds (12.4.3-03245 / 12.5.0-02283); if no earlier backup exists, audit the current configuration by hand for tampering rather than trusting it as clean.

DIESEC Perspective: SonicWall’s own remediation guidance goes well beyond “install the patch” — it explicitly tells customers to assume compromise and rebuild trust in the appliance from scratch if any IoC is found. That’s a stronger signal about exploitation severity than the CVSS score alone conveys, and it’s the kind of vendor guidance that gets skipped when patch management is treated as a checkbox exercise.

Not sure whether your remote-access appliances have already been probed or compromised? Contact DIESEC for a rapid patch verification and compromise assessment.

Sources: SonicWall Product Notice | BleepingComputer
Published: 2026-07-17 | Category: Vulnerabilities & Patches | ~4 min read