SonicWall SMA1000 zero-days on CISA KEV: patch by July 17
Two SMA1000 flaws — a CVSS-10.0 unauthenticated SSRF and a post-auth code injection — hit CISA KEV today. Patch to 12.4.3-03453 or 12.5.0-02835 before July 17.
Two SonicWall SMA1000 flaws hit CISA’s Known Exploited Vulnerabilities catalog on July 14: CVE-2026-15409, an unauthenticated server-side request forgery in the Work Place web interface (CVSS 10.0), and CVE-2026-15410, a post-authentication OS command injection reachable by an administrator (CVSS 7.2). SonicWall’s PSIRT says it “investigated multiple cases indicating the active exploitation of the vulnerabilities” before the patch shipped. Federal agencies have until July 17 under BOD 26-04. Everyone else should treat that as the deadline too.
If you’re running an SMA1000 6210, 7210, or 8200v on one of these platform-hotfix builds, you’re vulnerable: 12.4.3-03245, 12.4.3-03387, 12.4.3-03434, 12.5.0-02283, 12.5.0-02624, or 12.5.0-02800. Fixed builds are 12.4.3-03453 on the 12.4 branch and 12.5.0-02835 on the 12.5 branch. Anything later than those is fine. SMA100 series is a different product line and is not in scope for this advisory.
The shape of the chain, without walking anyone through it: the SSRF is pre-auth against the Work Place portal — the front-door user interface exposed on any real deployment. The code injection needs admin, so on its own it isn’t remote. Paired with any way to reach admin — credential theft, a session hijack, a second bug — you get RCE on the appliance. That’s what SonicWall is describing when they say “active exploitation” of both, not either. Treat the two CVE IDs as one story.
The honest timeline:
- Before July 14 — PSIRT sees exploitation in the wild against multiple SMA1000 customers. No public disclosure yet.
- July 14 — SonicWall publishes SNWLID-2026-0008 with fixed builds available.
- July 14 (same day) — CISA adds both CVEs to KEV.
- July 17 — federal patch deadline. Three days.
Priority order:
- Install 12.4.3-03453 or 12.5.0-02835 on every SMA1000 in your environment tonight. This is not a “batch it into the next change window” situation — CISA gave three days, and the SSRF is a 10.0.
- Check the IoCs in the SonicWall advisory: suspicious entries in
extraweb_access.logandctrl-service.log, and — the loud one — malicious content in/var/lib/unit/conf.json. If any of those hit, treat the appliance as compromised, not just patched. Rebuild, don’t clean. - Rotate every admin credential that touched the appliance since your last known-good state. The command-injection half needs admin, and if an intruder used the SSRF to grab admin material, you don’t want that credential still valid on the patched box.
- Then walk back through user session history on the portal for out-of-window logins, unusual source ASNs, and access to internal targets you don’t expect the appliance to be reaching.
If you can’t patch tonight, the honest answer is: take the appliance off the internet. Remote-access appliances that can’t be updated shouldn’t be reachable during an actively-exploited zero-day window. That’s not overkill — that’s the whole reason CISA runs KEV in the first place.
Related coverage: Progress patched ShareFile Storage Zone Controllers on the same day, Microsoft’s July Patch Tuesday shipped 570 fixes including two zero-days, and SAP shipped three criticals on the same cycle. Gateway-appliance week, again.
Found this useful? Share it.