Critical SonicWall Firewall 0-Day Vulnerabilities Actively Exploited in Attacks
SonicWall has issued an urgent security advisory regarding two vulnerabilities affecting its SMA1000 Series appliances. The company is warning that attackers are actively exploiting these flaws in real-world attacks.
The most critical issue, tracked as CVE-2026-15409, carries a maximum CVSS severity score of 10.0 and can be exploited remotely without requiring authentication.
The vulnerabilities impact SonicWall SMA1000 models 6210, 7210, and 8200, specifically those running certain versions of platform-hotfix releases 12.4.3 and 12.5.0.
SonicWall Firewall 0-Day Vulnerabilities
SonicWall clarified that these flaws do not affect SSL-VPN services on its firewall products or the SMA 100 Series appliance line. CVE-2026-15409 is a server-side request forgery (SSRF) vulnerability found in the SMA1000 Workplace interface.
An unauthenticated remote attacker could exploit this flaw to force a vulnerable appliance to send requests to unintended internal or external locations.
SSRF vulnerabilities may allow attackers to access services that are typically not reachable from the internet, probe internal network resources, or facilitate further compromise.
The second issue, CVE-2026-15410, is a post-authentication code injection vulnerability within the SMA1000 Appliance Management Console, which has a CVSS score of 7.2.
Under certain conditions, an authenticated administrator could exploit this vulnerability to execute arbitrary operating system commands on the appliance.
While this flaw requires administrator-level access, it could give an attacker full control over the affected system if they obtain credentials or compromise an administrative session.
The SonicWall Product Security Incident Response Team (PSIRT) has investigated multiple incidents involving the active exploitation of these vulnerabilities.
Although the company did not disclose technical details about the threat actors or specific attacks, it strongly urges customers to install the available hotfix immediately, as no workaround is currently available.
Organizations using affected devices should upgrade their SMA1000 appliances to platform-hotfix version 12.4.3-0345 or later for the 12.4.3 branch, or version 12.5.0-0283 or later for the 12.5.0 branch. The hotfix can be accessed via the MySonicWall customer portal.
Administrators should also review appliance logs and configuration files for signs of exploitation. SonicWall identified suspicious requests to /api/login or /api/logout that return HTTP 200 responses in extraweb_access.log as potential indicators of compromise.
Requests to /wsproxy with suspicious host parameters that return HTTP 101 responses may also signify malicious activity. Other warning signs include hotfix rollback entries with path traversal-like names in ctrl-service.log.
Administrators should inspect /var/lib/unit/conf.json for routes that involve /api/login or /api/logout, as these paths do not belong to legitimate SMA1000 configurations.
If any evidence of compromise is found, SonicWall recommends re-imaging the affected hardware appliances or redeploying the virtual appliances.
Organizations should also reset all user and administrator passwords, as well as reset time-based one-time password tokens to invalidate potentially stolen authentication credentials.
SonicWall credited PSIRT researcher Adam Babis for reporting the vulnerabilities and thanked Sean Koessel and Steven Adair of Volexity for assisting with the investigation and helping identify an additional indicator of compromise.
Attackers Move in Seconds. Defenses Take Hours! Blackpoint Built the Answer – Attend a Free Webinar on AI SOC Agent to contain a live attack.
The post Critical SonicWall Firewall 0-Day Vulnerabilities Actively Exploited in Attacks appeared first on Cyber Security News.
Abinaya
Go to cyber-security-news