Select a theme from the list.
Insights

From our experts

Latest
Microsoft Makes Passkeys the Entra ID Default and Sets a Deadline for Native SMS AuthenticationSonicWall Zero-Days Under Active Attack Demand Immediate SMA1000 PatchingCritical Chrome and Firefox Updates Put Browser Restarts Back on the Security AgendaAsyncAPI Package Breach Turns Trusted Build Pipelines Into a Malware Delivery SystemMicrosoft Expands AI-Led Security Hardening and Sets 2029 Quantum-Safe GoalGlobal CMS Exploitation Wave Plants Webshells on Business WebsitesExposed Attack Server Unmasks Three Microsoft 365 Phishing OperationsMicrosoft Prepares Windows Customers for a Faster Era of AI-Driven PatchingLaser Attack Exposes an Unpatchable Weakness in Tangem Crypto Wallet CardsGlobal CMS Exploitation Wave Puts Business Websites at Immediate RiskMacOS Malware 'Poseidon Stealer' Rebranded as 'Odyssey Stealer'CISA Warns of Critical Vulnerabilities in Mitsubishi Electric ICS HardwareMicrosoft Makes Passkeys the Entra ID Default and Sets a Deadline for Native SMS AuthenticationSonicWall Zero-Days Under Active Attack Demand Immediate SMA1000 PatchingCritical Chrome and Firefox Updates Put Browser Restarts Back on the Security AgendaAsyncAPI Package Breach Turns Trusted Build Pipelines Into a Malware Delivery SystemMicrosoft Expands AI-Led Security Hardening and Sets 2029 Quantum-Safe GoalGlobal CMS Exploitation Wave Plants Webshells on Business WebsitesExposed Attack Server Unmasks Three Microsoft 365 Phishing OperationsMicrosoft Prepares Windows Customers for a Faster Era of AI-Driven PatchingLaser Attack Exposes an Unpatchable Weakness in Tangem Crypto Wallet CardsGlobal CMS Exploitation Wave Puts Business Websites at Immediate RiskMacOS Malware 'Poseidon Stealer' Rebranded as 'Odyssey Stealer'CISA Warns of Critical Vulnerabilities in Mitsubishi Electric ICS Hardware
Security Insight

SonicWall Zero-Days Under Active Attack Demand Immediate SMA1000 Patching

SonicWall Zero-Days Under Active Attack Demand Immediate SMA1000 Patching
Photo by Ann H on Pexels

SonicWall has confirmed active exploitation of two vulnerabilities affecting SMA1000 secure-access appliances. Administrators must install the available hotfixes because the vendor says no alternative workaround or mitigation is available.

News Date: 2026-07-14

SonicWall is urging customers to patch Secure Mobile Access 1000 appliances after confirming that attackers are actively exploiting two previously unknown vulnerabilities. The affected technology often occupies a sensitive position at the edge of corporate networks, making compromised appliances valuable entry points for espionage, credential theft and deeper intrusion.

Two Flaws With Different Access Requirements

CVE-2026-15409 is a critical server-side request forgery vulnerability with a CVSS score of 10.0. It can allow an unauthenticated remote attacker to force a vulnerable appliance to send requests to unintended locations. Such behavior may expose internal services that are normally inaccessible from the public internet.

The second vulnerability, CVE-2026-15410, is a post-authentication code-injection flaw rated 7.2. It may allow a remote attacker with administrative access to execute operating-system commands through the Appliance Management Console. SonicWall has not publicly confirmed whether attackers are chaining the two vulnerabilities, but it has investigated multiple incidents involving active exploitation.

Affected products include SMA1000 models 6210, 7210 and 8200v running specified releases in the 12.4.3 and 12.5.0 branches. Fixes are available in platform-hotfix versions 12.4.3-03453, 12.5.0-02835 and later. SonicWall says its firewall-based SSL VPN and SMA 100 series are not affected.

Patching Alone May Not Be Enough

Administrators should examine appliance logs and configuration data for the indicators of compromise published by SonicWall. Suspicious API requests, unusual proxy parameters, unexpected hotfix rollbacks and unauthorized configuration routes may indicate that an attacker has already gained access.

Required Actions

  • Install the appropriate hotfix immediately.
  • Review all vendor-provided indicators of compromise.
  • Restrict administrative access to trusted management networks.
  • Re-image or redeploy any appliance showing evidence of intrusion.
  • Reset administrator and user passwords, along with authentication tokens.

In my view, externally exposed access appliances should never be treated as ordinary patching candidates. They are part of the organization's security perimeter and require emergency handling when exploitation is confirmed. The absence of a workaround makes rapid deployment essential, while evidence of compromise should trigger a broader incident investigation rather than a simple update and return to service.

Talk to our team →

Latest

Microsoft Makes Passkeys the Entra ID Default and Sets a Deadline for Native SMS AuthenticationJul 15, 2026SonicWall Zero-Days Under Active Attack Demand Immediate SMA1000 PatchingJul 15, 2026Critical Chrome and Firefox Updates Put Browser Restarts Back on the Security AgendaJul 15, 2026AsyncAPI Package Breach Turns Trusted Build Pipelines Into a Malware Delivery SystemJul 15, 2026Microsoft Expands AI-Led Security Hardening and Sets 2029 Quantum-Safe GoalJul 13, 2026Global CMS Exploitation Wave Plants Webshells on Business WebsitesJul 13, 2026

Most read

1Global CMS Exploitation Wave Plants Webshells on Business Websites2Exposed Attack Server Unmasks Three Microsoft 365 Phishing Operations3Microsoft Expands AI-Led Security Hardening and Sets 2029 Quantum-Safe Goal4Laser Attack Exposes an Unpatchable Weakness in Tangem Crypto Wallet Cards5Microsoft Prepares Windows Customers for a Faster Era of AI-Driven Patching6Switzerland Mandates 24-Hour Cyberattack Reporting for Critical Sectors