SonicWall SMA 1000 Zero-Days Actively Exploited, CISA Deadline Looms
SonicWall has confirmed active exploitation of two zero-day vulnerabilities in its SMA 1000 series appliances, with CISA giving federal agencies until 17 July to apply the fix.

Network operations centre reviewing logs on a secure remote access appliance under active exploitation
SonicWall has confirmed active exploitation of two zero-day vulnerabilities affecting its Secure Mobile Access (SMA) 1000 series appliances, one of which can be chained to achieve arbitrary command execution as administrator.
Two flaws, one working chain
CVE-2026-15409, rated CVSS 10.0, is a server side request forgery vulnerability that lets a remote, unauthenticated attacker force the appliance to make requests to a location of the attacker's choosing. CVE-2026-15410, rated CVSS 7.2, is a post authentication code injection flaw in the Appliance Management Console that allows a remote authenticated attacker to execute arbitrary operating system commands under certain conditions. Used together, the pair gives an attacker a path from no access at all to administrator level command execution on the appliance.
Confirmed active exploitation
SonicWall said it has investigated multiple cases showing active exploitation of both vulnerabilities and is urging customers to apply the available fixes immediately. Adam Babis of SonicWall's own product security incident response team is credited with discovering and reporting the flaws, with Volexity's Sean Koessel and Steven Adair credited for contributions that helped advance the investigation and identify an additional indicator of compromise.
A pattern that keeps repeating
This is not the first time a remote access appliance has landed on CISA's Known Exploited Vulnerabilities catalogue with a matching countdown. We saw the same sequence play out with Citrix NetScaler earlier this year, where active exploitation triggered an urgent federal patch deadline within days of disclosure. Edge devices sitting at the network perimeter remain the single most efficient entry point for an attacker, precisely because everything behind them is implicitly trusted once a session is established.
A hard deadline is already running
The US Cybersecurity and Infrastructure Security Agency has added both flaws to its Known Exploited Vulnerabilities catalogue, requiring United States federal civilian agencies to apply the fixes by 17 July 2026. For any GCC enterprise or government body running SMA 1000 appliances, particularly those with US federal supply chain or partner relationships, that CISA deadline is a useful forcing function even though it carries no direct local regulatory weight. Waiting for a formal regional mandate to catch up is not a sound strategy once active exploitation is already confirmed. This connects directly to the identity risk we detailed in our privileged access research for the GCC, since a remote access appliance is functionally a privileged access chokepoint, and an authentication bypass there defeats every identity control layered behind it.
Fixed versions and what to check
Patches are available in versions 12.4.3-03453 platform hotfix and higher, and 12.5.0-02835 platform hotfix and higher. Administrators should apply these immediately rather than scheduling them into a routine patch cycle. SonicWall has also published specific indicators to check for prior compromise. These include requests to /api/login or /api/logout returning HTTP 200 in extraweb_access.log, requests to /wsproxy with suspicious host parameters returning HTTP 101, hotfix rollback entries with path traversal style names in ctrl-service.log, and any routes for /api/login or /api/logout inside /var/lib/unit/conf.json, since neither URI exists in a legitimate configuration.
If any indicator is present
SonicWall's guidance is direct where any of these indicators appear. Re-image physical appliances or redeploy virtual appliances rather than attempting to clean in place, change all user and administrator passwords, and reset time based one time password tokens. Any organisation that finds a match should treat it as a confirmed incident and follow the same structured response we laid out in our guide to the first 72 hours of a breach in the GCC, rather than treating remediation as a simple patch and move on exercise. Given the severity rating and the confirmed exploitation, security teams responsible for SMA 1000 deployments should treat this as an immediate action item rather than something to fold into the next maintenance window.
Omar Al-Hakeem
Senior Cyber Threat Analyst | MENA RegionOmar Al-Hakeem is a cybersecurity researcher specializing in threat intelligence, ransomware trends, and nation-state activity across the Middle East and North Africa. With over 12 years of experience in SOC operations and incident response, he provides deep technical breakdowns of emerging attacks and regional cyber risks. At MENA Cyber Wire, Omar focuses on real-world threat analysis and actionable defense strategies for enterprises and startups.