Cybersecurity researchers have uncovered active attacks targeting two critical zero-day vulnerabilities in SonicWall SMA 1000 Series remote access appliances. By combining these flaws, attackers can gain unauthorized access to vulnerable systems and execute commands with root-level privileges, potentially taking complete control of the affected appliance.
The vulnerabilities, identified as CVE-2026-15409 and CVE-2026-15410, were observed being exploited before public disclosure. Because of the active attacks, both flaws have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, emphasizing the need for immediate action.
Exploitation Chain
The first vulnerability allows an unauthenticated attacker to reach internal services that are normally protected from external access. This provides an entry point to the appliance and enables attackers to execute commands with limited privileges.
The second vulnerability can then be used to escalate those privileges to root by abusing the appliance’s update and rollback process. Once exploited, attackers can run malicious scripts with full administrative permissions, giving them complete control over the system. Researchers also noted that the appliance may reboot after exploitation, which can make incident investigation more difficult.
Affected products include SonicWall SMA 1000 Series devices running vulnerable releases in the 12.4.3 and 12.5.0 software branches. SonicWall has confirmed that the SMA 100 Series and SSL VPN functionality on SonicWall firewalls are not affected.
Security Recommendations
Organizations using affected SonicWall SMA 1000 appliances should install the latest security hotfixes released by SonicWall as soon as possible, as no alternative mitigation is currently available.
In addition to patching, security teams should inspect appliances for signs of compromise, re-image affected systems if necessary, rotate administrator and user credentials, reset multi-factor authentication tokens following a confirmed breach, and continue monitoring VPN infrastructure for suspicious activity.
Applying the latest updates and reviewing exposed appliances promptly will help reduce the risk of compromise from these actively exploited vulnerabilities.