Skip to content
Security & Trust

SonicWall SMA Zero-Day Pair Chains Anonymous Access to Admin Commands

Two flaws, CVSS 10.0 and 7.2, were exploited in the wild before a patch existed for either one.

· 4 min read
Share on X LinkedIn
SonicWall SMA Zero-Day Pair Chains Anonymous Access to Admin Commands

Two Bugs, No Warning Window

SonicWall disclosed on July 15, 2026 that two vulnerabilities in its Secure Mobile Access (SMA) 1000 series appliances were being actively exploited before any patch was available for either one. SMA 1000 gateways are the remote-access front door many organizations use to let employees, contractors, and administrators reach internal systems from outside the corporate network — the kind of infrastructure that sits upstream of everything else, including the web applications and CMS admin panels a security team might otherwise be watching.

CVE-2026-15409
Unauthenticated SSRF, CVSS 10.0
Source: SonicWall Security Advisory (July 15, 2026)
CVE-2026-15410
Authenticated command injection, CVSS 7.2
Source: SonicWall Security Advisory (July 15, 2026)

The two flaws chain cleanly. CVE-2026-15409 lets a remote, unauthenticated attacker force the appliance to make requests to a location of their choosing — a server-side request forgery bug that needs no credentials at all. CVE-2026-15410 is a post-authentication code injection in the appliance's Management Console that lets an already-authenticated attacker run arbitrary operating system commands as administrator. Used together, the first flaw can manufacture the access the second one needs, turning an anonymous network position into administrator-level command execution on the appliance itself, with a maximum-severity score on the entry point.

A Federal Deadline That Isn't Everyone's Deadline

3 days (July 14 to July 17, 2026) — BOD 26-04 critical tier
Time from CISA KEV listing to federal patch deadline
Source: CISA Known Exploited Vulnerabilities Catalog (July 14, 2026)

CISA added both CVEs to its Known Exploited Vulnerabilities catalog on July 14, 2026, with a remediation deadline of July 17 under Binding Operational Directive 26-04, which replaced the old BOD 22-01 in June 2026 with a risk-tiered framework. The three-day window here falls under BOD 26-04's most aggressive tier — the 72-hour critical deadline reserved for actively exploited, internet-facing, high-impact vulnerabilities — making this one of the first real-world applications of the new tiered model. That directive binds federal civilian agencies; it does not set a universal patch clock for every organization running an SMA 1000 gateway. For everyone outside that federal scope, the only deadline that exists is the one an attacker sets by finding the appliance first, which is precisely what happened here: exploitation preceded the patch, not the other way around.

A Gateway WebPulse Doesn't See

WebPulse's scans identify web frameworks by the signatures they leave in HTML and HTTP headers — the software rendering pages, not the network appliances that broker access to the infrastructure behind them. SonicWall's SMA line falls outside that surface entirely, and this story is not evidence about any of the roughly 30 frameworks WebPulse tracks. What it does illustrate is the boundary of the map: a WordPress or Next.js deployment can carry a strong framework score and still sit behind a remote-access gateway with a maximum-severity, pre-patch exploit chain. Framework-level hardening and perimeter-appliance hardening are separate budget lines, and this week one of them moved first.

For budget-signers, the practical read is narrower than the CVSS score suggests but no less concrete: any organization running SMA 1000 series appliances should confirm they are on the patched hotfix builds (12.4.3-03453 or 12.5.0-02835 and higher) regardless of federal status, and should treat the three-day gap between KEV listing and federal deadline as a signal of urgency rather than a scope limit on who needs to act.

CVEs in this analysis
CVE-2026-15409 CVE-2026-15410
Share this insight