CVE-2026-15409: SonicWall SMA1000 SSRF Zero-Day (CVSS 10.0) — How to Find Exposed Appliances on Your Network
SonicWall SMA1000 secure remote access appliances contain a server-side request forgery vulnerability in the WorkPlace portal interface that lets unauthenticated attackers force the appliance to make requests to unintended locations. CVSS 10.0, actively exploited as a zero-day, CISA KEV listed on July 14, 2026 with a BOD 26-04 remediation deadline of July 17 for FCEB agencies. A second vulnerability, CVE-2026-15410, enables post-authentication OS command injection through the Management Console and is also being exploited.
The Vulnerability
CVE-2026-15409 (CWE-918: Server-Side Request Forgery) is a critical SSRF vulnerability in the SMA1000 Appliance WorkPlace interface. A remote unauthenticated attacker can craft requests that force the appliance to make arbitrary server-side requests, potentially reaching internal resources that should not be externally accessible. The vulnerability requires no authentication, no user interaction, and has low attack complexity.
- CVSS: 10.0 Critical (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) — Scope Changed — SonicWall Advisory SNWLID-2026-0008
- CWE: CWE-918 (Server-Side Request Forgery)
- AFFECTED: SMA 6210, SMA 7210, SMA 8200v, and CMS — builds 12.4.3-03245, 12.4.3-03387, 12.4.3-03434, 12.5.0-02283, 12.5.0-02624, 12.5.0-02800
- FIXED: 12.4.3-03453 (platform-hotfix) and later, 12.5.0-02835 (platform-hotfix) and later
- EXPLOITED: Active exploitation confirmed — CISA KEV listed July 14, 2026 · BOD 26-04 deadline July 17, 2026 (FCEB agencies)
- RELATED: CVE-2026-15410 (post-auth OS command injection, CVSS 7.2, also actively exploited and CISA KEV listed)
The "Scope: Changed" CVSS metric is significant — it means the vulnerability impacts resources beyond the vulnerable component itself. An SSRF in a VPN appliance sitting at the network perimeter can pivot to internal services, cloud metadata endpoints, or management interfaces that would otherwise be unreachable from the internet. This is why SonicWall's CVSS assessment rates it 10.0 despite "only" being an SSRF.
The Second Vulnerability: CVE-2026-15410
CVE-2026-15410 (CWE-94: Code Injection, CVSS 7.2) is a post-authentication OS command injection flaw in the SMA1000 Appliance Management Console (AMC). An authenticated administrator can execute arbitrary operating system commands. While the authentication requirement limits direct exploitation, SonicWall confirmed active exploitation of both vulnerabilities but has not disclosed whether attackers chained them together.
SonicWall confirmed both vulnerabilities are being actively exploited. Both are CISA KEV listed with the same July 17 deadline. The same platform hotfixes address both CVEs.
SonicWall SMA: A Recurring Target
This is the latest in a series of SMA appliance zero-days. SonicWall SMA devices have been targeted by threat actors including suspected Chinese groups in previous campaigns. VPN and remote access appliances remain high-value targets because they sit at the network edge, handle authentication, and are often exposed to the internet by design.
Investigation Workflow
SMA1000 appliances are purpose-built VPN/remote access gateways, typically internet-facing. They expose distinctive web interfaces that are identifiable through port scanning, TLS inspection, and HTTP response analysis.
1. Port Scan: Find SMA1000 Appliances
SMA1000 appliances use several default ports. The WorkPlace portal (where CVE-2026-15409 lives) and the Management Console (where CVE-2026-15410 lives) are the primary targets:
- • 443 — HTTPS (CMS communication; also commonly configured as WorkPlace SSL port)
- • 8443 — HTTPS (Appliance Management Console — where CVE-2026-15410 resides)
- • 8085 — HTTP (WorkPlace portal default — where CVE-2026-15409 resides)
- • 8444 — HTTPS (CMS communication)
- • 8080 — Tunnel Service
2. HTTP Headers: Identify SMA1000 Interfaces
SMA1000 appliances return identifiable HTTP responses:
- • Server: SMA/% — SonicWall SMA server header pattern
- • HTML title WorkPlace — the user-facing portal where CVE-2026-15409 resides
- • HTML title Appliance Management Console Login — the admin interface where CVE-2026-15410 resides
- • HTML title Central Management Console Login — CMS management interface
- • Favicon hash 16866410 (MMH3) — SonicWall SMA favicon fingerprint
3. TLS Inspect: Examine Certificates
Pull the TLS certificate on ports 443 and 8443. Look for:
- • Subject CN or SAN containing sma, vpn, remote, or access
- • Default self-signed certificates from SonicWall (common on unmanaged deployments)
- • Organization field referencing SonicWall or SonicWALL
4. DNS: Discover SMA Infrastructure
Query DNS for common SMA naming patterns: vpn.*, sslvpn.*, remote.*, access.*, sma.*, workplace.*. SMA appliances are often deployed with dedicated DNS entries pointing to the WorkPlace portal.
5. CVE Lookup: Track Both Vulnerabilities
Look up both CVE-2026-15409 and CVE-2026-15410. Both are CISA KEV listed with the same July 17 deadline. The same hotfix patches address both — confirming one is patched confirms the other.
Note: The fingerprints above are heuristics — they identify likely SMA1000 appliances but may produce false positives on other SonicWall products or customized deployments. They also do not confirm patch state. SMA appliances do not leak firmware version numbers in HTTP headers. To verify the installed hotfix, log into the Appliance Management Console (AMC) or Central Management Console (CMC) and check the installed platform-hotfix version against the fixed builds listed above.
Indicators of Compromise
SonicWall's advisory identifies specific IOCs to check for evidence of exploitation:
- • extraweb_access.log — requests to /_api_/login or /__api__/logout returning HTTP 200
- • extraweb_access.log — requests to /wsproxy with suspicious host parameters returning HTTP 101
- • ctrl-service.log — entries mentioning "hotfix removal" with path-traversal filenames
- • /var/lib/unit/conf.json — unexpected routes containing /__api__/login or /__api__/logout
- • If any IOCs are found: treat the appliance as compromised, re-image hardware or redeploy virtual appliances, reset all passwords and TOTP tokens
Cross-Reference with External Data
- SHODAN: Search "Server: SonicWALL SSL-VPN Web Server" or http.favicon.hash:16866410 to find internet-exposed SMA appliances
- CVE LOOKUP: Track CVE-2026-15409 and CVE-2026-15410 for scoring updates and exploit disclosures
- CISA KEV: Both CVEs listed July 14, 2026 — BOD 26-04 deadline July 17, 2026 (FCEB agencies)
- SONICWALL: SNWLID-2026-0008
Remediation
- Patch immediately. Apply SonicWall hotfix 12.4.3-03453 or 12.5.0-02835 (or later). These updates fix both CVE-2026-15409 and CVE-2026-15410. If patching is not possible, disconnect the appliance from the network.
- Check for indicators of compromise. Review extraweb_access.log for requests to /_api_/login, /__api__/logout, and /wsproxy. Check ctrl-service.log for "hotfix removal" entries and /var/lib/unit/conf.json for unexpected routes. If found, treat the appliance as compromised.
- If compromised, re-image. SonicWall recommends re-imaging hardware appliances or redeploying virtual appliances (8200v). Do not simply patch a compromised device — backdoors may persist.
- Reset all credentials. Change all user and administrator passwords. Reset TOTP tokens. Assume any credentials stored on or transiting the appliance may be compromised.
- Restrict Management Console access. The AMC (port 8443) should never be internet-facing. Restrict it to management VLANs or jump hosts. This limits exposure to CVE-2026-15410.
- Monitor for follow-on activity. SMA appliances handle VPN authentication — a compromised appliance may have exposed VPN session tokens, user credentials, or internal network topology. Audit downstream systems.
Every tool used in this investigation — port scan, TLS inspect, HTTP headers, DNS, CVE lookup — runs from your phone in RECON. Get it on the App Store.
Follow @hellorecon for new CVE investigations.
Sources
- → SonicWall Product Notice: SNWLID-2026-0008
- → NVD: CVE-2026-15409
- → NVD: CVE-2026-15410
- → CISA: Adds Four Known Exploited Vulnerabilities to Catalog (July 14, 2026)
- → BleepingComputer: SonicWall Warns of SMA1000 Flaws Exploited in Zero-Day Attacks
- → The Hacker News: Two SonicWall SMA 1000 Zero-Days Exploited
- → SonicWall: SMA 1000 Series Default Assigned Ports