Skip to content
feed: live
>_ 0dayNews
CVE Record
[ CRITICAL ] CVE-2026-15409

SonicWall SMA1000 unauthenticated SSRF in Work Place portal

An unauthenticated server-side request forgery in the SonicWall SMA1000 Work Place web interface lets a remote attacker force the appliance to make requests to attacker-chosen destinations. Actively exploited; on CISA KEV.

cat cve-2026-15409.json
Vendor
SonicWall
Product
SMA1000 Series (6210, 7210, 8200v)
CVSS
10.0
EPSS (exploit probability)
N/A
Status
kev
Published

CVE-2026-15409 is an unauthenticated server-side request forgery (SSRF) in the Work Place web interface of the SonicWall SMA1000 remote-access appliance. Per NVD, “a remote unauthenticated attacker could potentially cause the appliance to make requests to unintended location.” SonicWall’s PSIRT confirmed active exploitation prior to the July 14 patch and CISA added the CVE to its Known Exploited Vulnerabilities catalog the same day, with a federal remediation deadline of July 17, 2026.

Affected and fixed builds

Vulnerable platform-hotfix builds: 12.4.3-03245, 12.4.3-03387, 12.4.3-03434, 12.5.0-02283, 12.5.0-02624, and 12.5.0-02800. Fixed in 12.4.3-03453 (12.4 branch) and 12.5.0-02835 (12.5 branch), or later. Affected hardware: SMA1000 6210, 7210, and 8200v. The SMA100 series is a separate product line and is not in scope for this advisory.

What to do

Install the patched build on every SMA1000 appliance before the July 17 CISA deadline. If patching has to wait, take the Work Place portal off the internet until the update is applied — the SSRF is pre-auth against that interface. Review the indicators of compromise in SNWLID-2026-0008 (entries in extraweb_access.log, ctrl-service.log, and /var/lib/unit/conf.json), and if anything matches, treat the appliance as compromised rather than merely vulnerable. See the article writeup for the pairing with CVE-2026-15410, the post-auth command injection SonicWall discloses in the same advisory.