```html ``` SonicWall's SMA1000 Just Got Two Zero-Days and a Federal Ultimatum. We've Called the Edge Appliance the Door of the Era Since March.
top of page

SonicWall's SMA1000 Just Got Two Zero-Days and a Federal Ultimatum. We've Called the Edge Appliance the Door of the Era Since March.

  • Writer: Patrick Duggan
    Patrick Duggan
  • a few seconds ago
  • 4 min read

SonicWall confirmed this week that two flaws in its SMA1000 remote-access appliances have been exploited as zero-days, in the wild, chained together. CISA added both to the Known Exploited Vulnerabilities catalog on July 14 and set a hard clock: federal agencies have until July 17 under Binding Operational Directive 26-04 to patch the appliance or rip it out of service. Three days. Patch or unplug. There is no third option in the directive.


We did not have these two CVEs pre-staged, and we are going to say so up front. What we have is four months of telling you this exact thing would keep happening to this exact class of box — and naming SonicWall specifically while we did it.



The Two Flaws


CVE-2026-15409 is the dangerous one. It is a server-side request forgery in the SMA1000 Work Place interface, rated CVSS 10.0, and it needs no authentication. A remote attacker who has never logged in can make the appliance issue requests to places it should never reach — internal services, cloud metadata endpoints, whatever sits behind the appliance that trusts it.


CVE-2026-15410 is the follow-through. It is a post-authentication code-injection flaw in the SMA1000 management console, CVSS 7.2, that lets an authenticated administrator run arbitrary operating-system commands. On its own that is a medium-grade problem, because it needs admin access first. Chained behind the unauthenticated SSRF, it stops being a medium-grade problem. That is exactly how SonicWall says it is being used: the two together, in tandem. The unauth flaw gets you to the console, the code-injection flaw turns the console into a shell. Affected firmware is 12.4.3 and 12.5.0; the hotfixes are 12.4.3-03453 and 12.5.0-02835.



What We Said, Repeatedly, Before This Week


On March 17 we wrote that the Cisco ASA was getting popped right now and that the edge firewall was the initial-access surface to worry about. On May 21 we ran a post titled Edge-Appliance Week, after CISA added three RCEs in fourteen days and two of them were edge vendors. On June 9 we wrote that the number-two ransomware crew on earth, Akira, has one favorite door — your SSL VPN — and we named the vendors in that sentence: Cisco ASA, SonicWall, WatchGuard, in and encrypting in under four hours. On June 15, Four Edge Appliances One Weekend, when PAN-OS, Check Point, Serv-U, and PeopleSoft were all being exploited at once.


SonicWall was not an afterthought in that coverage. It was named, by brand, as one of the doors ransomware crews walk through. This week's zero-days are not a surprise to anyone who read those posts. They are the category doing precisely what we said the category does.


That is the honest shape of this call. We do not have a timestamp that beats the disclosure on CVE-2026-15409 — nobody outside the attacker does; it was a zero-day. What we have is the pattern called correctly, months out, with the vendor named. There is a difference between predicting a specific bug and predicting the surface, and we are claiming the second one, not the first.



The SonicWall Line Is a KEV Subscription


Here is the number that should reframe how you think about these appliances. Pull CISA's KEV catalog for SonicWall and count. The SMA and SSL-VPN family carries double-digit entries — OS command injection in 2021, SQL injection going back to 2019, a missing-authorization flaw in December 2025, and now these two. This is not a vendor that had a bad week. This is a product line that shows up in the "actively exploited" catalog on a schedule.


When a single appliance family has been in KEV that many times, the vulnerability is not really any one CVE. The vulnerability is the decision to terminate untrusted internet traffic on a complex, privileged, internet-facing box and trust the vendor to have gotten every code path right. The attackers have decided that bet is a good one to fade. The KEV history says they are right.



What To Do


If you run an SMA1000 on 12.4.3 or 12.5.0, you are on the clock whether or not you are a federal agency — the BOD deadline just tells you how seriously CISA is taking it. Apply the hotfix. Then assume the three-day window before you patched was long enough for someone to have used it, because these were live zero-days before the fix existed, and hunt accordingly. Review admin console access logs, look for command execution you cannot attribute, and check for outbound requests from the appliance to internal or metadata endpoints that fit the SSRF pattern.


And take the longer lesson, because it is the one that actually reduces your exposure over the next year. The edge appliance is not a set-and-forget purchase. It is a standing liability that has to be patched the day a fix ships, monitored like a server, and — where the business allows — put behind something that assumes it will eventually be breached. We open-sourced our edge shield for exactly this reason: the window between an IOC being published and it reaching your infrastructure is where the breach happens, and on an appliance that shows up in KEV this often, that window is not theoretical.


We called the door. This week a crew walked through it again. The only question the KEV history leaves open is which vendor's box is next, and the honest answer is that it does not much matter — the door is the door.




Every indicator in this post is in the feed. Free.

1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.


bottom of page