SonicWall has confirmed that two zero-day vulnerabilities in its SMA 1000 series appliances, the hardware many organisations use to provide secure remote access to internal networks, are being actively exploited in the wild, and have been since at least 22 June.
What the two flaws actually do
CVE-2026-15409 is a maximum-severity, CVSS 10.0 server-side request forgery flaw in the SMA1000 Appliance Work Place interface. It requires no authentication at all, letting a remote attacker force the appliance into making requests to locations of the attacker’s choosing. CVE-2026-15410 is a separate, high-severity CVSS 7.2 post-authentication command injection flaw in the Management Console, allowing an authenticated administrator context to execute arbitrary operating system commands.
Individually, the second flaw would look far less urgent, since it needs an authenticated session first. Together, they are the whole problem. SonicWall has confirmed that attackers are chaining the two: the unauthenticated SSRF flaw is used to obtain the access the second flaw then turns into full command execution. The combination takes an attacker from zero access outside the appliance to complete compromise of it, with no valid credentials required at any point.
Why the timeline matters
Rapid7’s MDR team, which first identified the exploitation, traced active attacks back to 22 June, meaning the flaws were being used against real targets for roughly three weeks before a fix existed. SonicWall has since released hotfixes for the affected SMA1000 6210, 7210, and 8200v appliances, versions 12.4.3-03453 and 12.5.0-02835. CISA has added both CVEs to its Known Exploited Vulnerabilities catalogue and, under Binding Operational Directive 26-04, is requiring US federal agencies to apply the fix or take the affected appliances offline entirely by 17 July.
That deadline is a useful forcing function for anyone outside the reach of a federal directive too. Remote access appliances sit at the network edge by design, which is exactly why they are such a consistently attractive target: a single compromised device grants a foothold into whatever it was built to protect. European organisations running SMA1000 gateways for staff or partner remote access should not wait for a directive that does not apply to them before treating this with the same urgency.
What to do now
Patch to the hotfix versions immediately if you have not already. If patching cannot happen within hours rather than days, restrict management console access to trusted networks only and review authentication logs for the appliance going back to at least mid-June, since the three-week gap between first exploitation and public disclosure means quiet compromise is a real possibility, not a theoretical one.
If your organisation relies on SonicWall SMA appliances, or any remote access infrastructure, and you need help assessing exposure, prioritising patching, or reviewing whether your edge infrastructure is holding up under current threat conditions, contact Excello Digital. We help European businesses turn vulnerability disclosures like this one into a clear, prioritised action plan rather than a scramble.
