SonicWall is warning customers to immediately patch SMA 1000-series remote-access appliances after confirming that two zero-day vulnerabilities β one carrying a maximum CVSS score of 10.0 β are being chained together in active attacks to take full control of internet-facing devices.
Rapid7βs managed detection and response team, which discovered the campaign, says targeted exploitation of SMA 1000 appliances has been underway since at least late June. CISA has responded with one of its tightest deadlines of the year: federal agencies must remediate by July 17 under Binding Operational Directive 26-04 β or stop using the product.
The Vulnerabilities
CVE-2026-15409 (CVSS 10.0) is a server-side request forgery flaw in the SMA 1000βs WorkPlace interface, served on port 443 by default. The bug lives in a websocket proxy feature reachable at /wsproxy, which accepts attacker-supplied host and port values in URL parameters and obligingly opens what Rapid7 describes as a netcat-like TCP tunnel to them. No authentication required.
By pointing that tunnel at localhost, a remote attacker can converse directly with internal appliance services that were never meant to be reachable from the internet β sending and receiving arbitrary TCP traffic to the deviceβs own management plane from anywhere in the world.
CVE-2026-15410, the second zero-day, picks up where the first leaves off: SonicWall warns it can enable execution of admin-level commands. Chained, the pair converts an unauthenticated internet request into full appliance takeover.
Whoβs Affected, and What to Do
The flaws affect SMA 1000 models 6210, 7210, and the 8200v virtual appliance. Fixed releases are:
- 12.4.3-03453 (hotfix)
- 12.5.0-02835
SonicWall says it investigated multiple incidents and confirmed both vulnerabilities are being exploited in the wild. Organizations running SMA 1000 devices should assume they have been probed and act accordingly:
- Patch now β ahead of the federal deadline, because attackers read advisories too, and the publication of technical detail on
/wsproxystarts the clock for mass exploitation. - Hunt, donβt just patch. Exploitation has been running since late June; a patch applied today does nothing about a device compromised two weeks ago. Review appliance logs for anomalous websocket connections and unexpected administrative actions, and treat credentials and sessions that transited the device as suspect.
- Restrict management exposure and rotate credentials/certificates bound to the appliance if any compromise indicators surface.
The Edge-Device Drumbeat Continues
If this feels like dΓ©jΓ vu, it should. Secure remote access appliances β the boxes bought specifically to protect the perimeter β have been 2026βs most reliable initial-access vector, a pattern weβve tracked from the FortiBleed exploitation wave that hit Fortinet customers this month to Ubiquitiβs own CVSS 10.0 command injection last week, and Ciscoβs sixth exploited SD-WAN zero-day of the year patched just days ago.
The economics are structural. An SMA 1000 sits on the open internet by design, terminates VPN sessions for the whole workforce, holds or brokers privileged credentials, and β critically β usually runs no EDR agent and produces logs nobody reads. For a ransomware affiliate or espionage crew, one appliance zero-day replaces a thousand phishing emails.
SonicWall specifically has been a repeat visitor to the KEV catalog: SMA 100-series bugs fueled ransomware campaigns for years, and the SMA 1000βs higher-end enterprise install base makes this round more valuable per device, not less.
For defenders, the takeaway hardens a little more with each cycle: edge appliances deserve the same assume-breach treatment as domain controllers. Inventory them, monitor them externally (they wonβt self-report), patch them within days rather than quarters, and architect so that one popped box on the perimeter cannot cash out into the entire network.
Sources
- BleepingComputer β SonicWall warns of SMA1000 flaws exploited in zero-day attacks
- Rapid7 β MDR Team Discovers New SonicWall SMA1000 Zero-Days Being Actively Exploited
- The Hacker News β Two SonicWall SMA 1000 Zero-Days Exploited, One Could Enable Admin Commands
- Help Net Security β SonicWall SMA appliances targeted in zero-day attacks



