SonicWall is warning customers to immediately patch SMA 1000-series remote-access appliances after confirming that two zero-day vulnerabilities β€” one carrying a maximum CVSS score of 10.0 β€” are being chained together in active attacks to take full control of internet-facing devices.

Rapid7’s managed detection and response team, which discovered the campaign, says targeted exploitation of SMA 1000 appliances has been underway since at least late June. CISA has responded with one of its tightest deadlines of the year: federal agencies must remediate by July 17 under Binding Operational Directive 26-04 β€” or stop using the product.

The Vulnerabilities

CVE-2026-15409 (CVSS 10.0) is a server-side request forgery flaw in the SMA 1000’s WorkPlace interface, served on port 443 by default. The bug lives in a websocket proxy feature reachable at /wsproxy, which accepts attacker-supplied host and port values in URL parameters and obligingly opens what Rapid7 describes as a netcat-like TCP tunnel to them. No authentication required.

By pointing that tunnel at localhost, a remote attacker can converse directly with internal appliance services that were never meant to be reachable from the internet β€” sending and receiving arbitrary TCP traffic to the device’s own management plane from anywhere in the world.

CVE-2026-15410, the second zero-day, picks up where the first leaves off: SonicWall warns it can enable execution of admin-level commands. Chained, the pair converts an unauthenticated internet request into full appliance takeover.

Who’s Affected, and What to Do

The flaws affect SMA 1000 models 6210, 7210, and the 8200v virtual appliance. Fixed releases are:

  • 12.4.3-03453 (hotfix)
  • 12.5.0-02835

SonicWall says it investigated multiple incidents and confirmed both vulnerabilities are being exploited in the wild. Organizations running SMA 1000 devices should assume they have been probed and act accordingly:

  1. Patch now β€” ahead of the federal deadline, because attackers read advisories too, and the publication of technical detail on /wsproxy starts the clock for mass exploitation.
  2. Hunt, don’t just patch. Exploitation has been running since late June; a patch applied today does nothing about a device compromised two weeks ago. Review appliance logs for anomalous websocket connections and unexpected administrative actions, and treat credentials and sessions that transited the device as suspect.
  3. Restrict management exposure and rotate credentials/certificates bound to the appliance if any compromise indicators surface.

The Edge-Device Drumbeat Continues

If this feels like dΓ©jΓ  vu, it should. Secure remote access appliances β€” the boxes bought specifically to protect the perimeter β€” have been 2026’s most reliable initial-access vector, a pattern we’ve tracked from the FortiBleed exploitation wave that hit Fortinet customers this month to Ubiquiti’s own CVSS 10.0 command injection last week, and Cisco’s sixth exploited SD-WAN zero-day of the year patched just days ago.

The economics are structural. An SMA 1000 sits on the open internet by design, terminates VPN sessions for the whole workforce, holds or brokers privileged credentials, and β€” critically β€” usually runs no EDR agent and produces logs nobody reads. For a ransomware affiliate or espionage crew, one appliance zero-day replaces a thousand phishing emails.

SonicWall specifically has been a repeat visitor to the KEV catalog: SMA 100-series bugs fueled ransomware campaigns for years, and the SMA 1000’s higher-end enterprise install base makes this round more valuable per device, not less.

For defenders, the takeaway hardens a little more with each cycle: edge appliances deserve the same assume-breach treatment as domain controllers. Inventory them, monitor them externally (they won’t self-report), patch them within days rather than quarters, and architect so that one popped box on the perimeter cannot cash out into the entire network.

Sources