// NEXUSVOID CYBER NEWS

<- ALL CYBER NEWS

Critical

SonicWall, SMA 1000, zero-day, CVE-2026-15409, SSRF, active exploitation

SonicWall SMA 1000 Zero-Days Exploited — One Scores a Perfect 10.0

SonicWall confirmed two zero-days in its SMA 1000 remote-access appliances are under active attack — a CVSS 10.0 unauthenticated SSRF and a post-auth flaw that runs OS commands as administrator. Patch now.

What happened. SonicWall confirmed two zero-day vulnerabilities in its Secure Mobile Access (SMA) 1000 series appliances are being actively exploited. CVE-2026-15409 (CVSS 10.0) is a server-side request forgery (SSRF) flaw a remote, unauthenticated attacker can use to force the appliance to make requests to an attacker-chosen location. CVE-2026-15410 (CVSS 7.2) is a post-authentication code-injection bug in the Appliance Management Console (AMC) that lets an authenticated attacker run arbitrary operating-system commands as administrator.

Who's affected. Organizations running SMA 1000 series appliances — the remote-access gateways that sit at the network edge and broker VPN connections into internal systems. These devices are internet-facing by design, which is exactly what makes an unauthenticated 10.0 on one of them a first-priority problem.

What to do now. Apply SonicWall's patch immediately; for an actively exploited edge device, nothing beats patching. Until you can, restrict Appliance Management Console access to trusted networks and review appliance logs for unexpected outbound requests or admin-level command execution. Because these are zero-days, assume exploitation may predate your patch and hunt backward.

Our read. Edge appliances are the assets an annual pentest looks at once and then not again for twelve months — while an attacker looks at them every day. In our analysis of the 2025 KEV catalog, 20% of actively-exploited vulnerabilities were already in use on or before the day they were publicly disclosed. A zero-day in an internet-facing gateway is the purest version of that gap: there is no disclosure-to-scan window at all. Coverage of the edge has to be continuous, not scheduled.

Reporting by The Hacker News and BleepingComputer; vulnerability details per SonicWall's advisory. Sources linked above.

Liked this briefing? Share it:

More briefings

Related posts appear on the live page
Get the briefings first
Breaking security news, verified fast, with the one fact the headlines skip. No spam - unsubscribe anytime.