// NEXUSVOID CYBER NEWS
<- ALL CYBER NEWS
Critical
SonicWall, SMA 1000, zero-day, CVE-2026-15409, SSRF, active exploitation
SonicWall SMA 1000 Zero-Days Exploited — One Scores a Perfect 10.0
SonicWall confirmed two zero-days in its SMA 1000 remote-access appliances are under active attack — a CVSS 10.0 unauthenticated SSRF and a post-auth flaw that runs OS commands as administrator. Patch now.
What happened. SonicWall confirmed two zero-day vulnerabilities in its Secure Mobile Access (SMA) 1000 series appliances are being actively exploited. CVE-2026-15409 (CVSS 10.0) is a server-side request forgery (SSRF) flaw a remote, unauthenticated attacker can use to force the appliance to make requests to an attacker-chosen location. CVE-2026-15410 (CVSS 7.2) is a post-authentication code-injection bug in the Appliance Management Console (AMC) that lets an authenticated attacker run arbitrary operating-system commands as administrator.
Who's affected. Organizations running SMA 1000 series appliances — the remote-access gateways that sit at the network edge and broker VPN connections into internal systems. These devices are internet-facing by design, which is exactly what makes an unauthenticated 10.0 on one of them a first-priority problem.
What to do now. Apply SonicWall's patch immediately; for an actively exploited edge device, nothing beats patching. Until you can, restrict Appliance Management Console access to trusted networks and review appliance logs for unexpected outbound requests or admin-level command execution. Because these are zero-days, assume exploitation may predate your patch and hunt backward.
Our read. Edge appliances are the assets an annual pentest looks at once and then not again for twelve months — while an attacker looks at them every day. In our analysis of the 2025 KEV catalog, 20% of actively-exploited vulnerabilities were already in use on or before the day they were publicly disclosed. A zero-day in an internet-facing gateway is the purest version of that gap: there is no disclosure-to-scan window at all. Coverage of the edge has to be continuous, not scheduled.
Reporting by The Hacker News and BleepingComputer; vulnerability details per SonicWall's advisory. Sources linked above.