SonicWall SMA1000 post-authentication OS command injection
A post-authentication OS command injection in the SonicWall SMA1000 lets an administrator execute arbitrary OS commands on the appliance. Actively exploited alongside CVE-2026-15409; on CISA KEV.
- Vendor
- SonicWall
- Product
- SMA1000 Series (6210, 7210, 8200v)
- CVSS
- 7.2
- EPSS (exploit probability)
- N/A
- Status
- kev
- Published
CVE-2026-15410 is a post-authentication OS command injection in the SonicWall SMA1000. Per NVD, the flaw “in specific conditions could potentially enable a remote authenticated attacker as administrator to execute arbitrary OS commands.” SonicWall’s PSIRT confirmed active exploitation prior to the July 14 patch and CISA added it to KEV the same day, with a federal remediation deadline of July 17, 2026.
On its own, CVE-2026-15410 is not remote — it needs admin. In the exploitation SonicWall is describing, it appears alongside CVE-2026-15409, the unauthenticated SSRF in the same appliance, which gives attackers a foothold from which to reach the admin surface. Treat the pair as one chain.
Affected and fixed builds
Vulnerable platform-hotfix builds: 12.4.3-03245, 12.4.3-03387, 12.4.3-03434, 12.5.0-02283, 12.5.0-02624, and 12.5.0-02800. Fixed in 12.4.3-03453 (12.4 branch) and 12.5.0-02835 (12.5 branch), or later. Affected hardware: SMA1000 6210, 7210, and 8200v. The SMA100 series is a separate product line and is not in scope for this advisory.
What to do
Patch to the fixed build before the July 17 CISA deadline. After patching, rotate every admin credential that touched the appliance since the last known-good state — a rotated password on an unpatched box is worthless, but an unrotated password on a patched box is still the second half of this chain. Review extraweb_access.log, ctrl-service.log, and /var/lib/unit/conf.json for the IoCs listed in SNWLID-2026-0008; if any match, rebuild the appliance rather than trusting the patch. Full context in the article writeup.
