SonicWall warns of active exploitation of two SMA 1000 zero-days

Wait 5 sec.

SonicWall warns of active attacks exploiting two SMA 1000 zero-days, including a flaw enabling arbitrary command execution.SonicWall confirmed the active exploitation of two zero-day vulnerabilities affecting Secure Mobile Access (SMA) 1000 appliances. The vulnerabilities were internally discovered and reported by Adam Babis of the company’s PSIRT.The company investigated multiple incidents indicating these vulnerabilities are being actively exploited in the wild.The first vulnerability, tracked as CVE-2026-15409 (CVSS score of 10.0), is a Server-side request forgery (SSRF) issue that a remote unauthenticated attacker could exploit to potentially cause the appliance to make requests to an unintended location.“A Server-side request forgery (SSRF) vulnerability has been identified in the SMA1000 Appliance Work Place interface. A remote unauthenticated attacker could potentially cause the appliance to make requests to unintended location.” reads the advisory.The second vulnerability, tracked as CVE-2026-15410 (CVSS score of 7.2), is a post-authentication code injection flaw in the Appliance Management Console (AMC) that a remote authenticated attacker could exploit to execute arbitrary operating system commands as administrator under certain conditions.“Post-authentication improper control of generation of code (‘Code Injection’) vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) which in specific conditions could potentially enable a remote authenticated attacker as administrator to execute arbitrary OS commands.” continues the advisory. “SonicWall PSIRT has investigated multiple cases indicating the active exploitation of the vulnerabilities described in this advisory.”The vulnerabilities impact the following software and versions: Affected ProductAffected Version(s)SMA1000 Models – 6210, 7210, 8200v 12.4.3-03245, 12.4.3-03387 and 12.4.3-03434 (platform-hotfix)12.5.0-02283, 12.5.0-02624 and 12.5.0-02800 (platform-hotfix)The company addressed the issue in the following versions:12.4.3-03453 (platform-hotfix) and higher versions.12.5.0-02835 (platform-hotfix) and higher versions.Customers should review system logs for indicators of compromise, such as unusual requests to login or logout API endpoints, suspicious WebSocket proxy connections, evidence of hotfix rollbacks using path traversal techniques, or unauthorized API routes in the appliance configuration. SonicWall strongly recommends upgrading to the latest hotfix, performing a full forensic investigation, and, if compromise is confirmed, re-imaging or redeploying the appliance, resetting all user and administrator passwords, and re-enrolling TOTP tokens.Sean Koessel and Steven Adair of Volexity helped advance PSIRT investigation, leading to the identification of an additional IOC.“Customers are strongly urged to upgrade to the hotfix release as soon as possible to remediate these vulnerabilities.” concludes the advisory.In December, SonicWall urged customers to address another SMA1000 Appliance Management Console issue that was exploited as a zero-day in attacks in the wild.The flaw is a local privilege escalation issue which is due to insufficient authorization in the SonicWall SMA1000 appliance management console (AMC).“A local privilege escalation vulnerability due to insufficient authorization in the SonicWall SMA1000 appliance management console (AMC).” reads the advisory published by the company. “Please note that SonicWall Firewall products are not affected by this vulnerability.”The vendor warned customers that the vulnerability was chained with CVE-2025-23006 (CVSS score 9.8) in zero-day attacks to escalate privileges. The vendor has not disclosed details about the attacks that exploited the flaw as a zero-day, nor the attackers’ motivations.Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, SMA 1000)