{"id":221,"created_when":"2026-07-14T14:43:22Z","created_by":"arun","updated_when":"2026-07-14T14:43:22Z","updated_by":"arun","advisory_id":"SNWLID-2026-0008","title":"SonicWall SMA1000 Series Appliances Affected By Multiple Vulnerabilities","published_when":"2026-07-14T14:43:22Z","last_updated_when":"2026-07-14T14:43:22Z","impact":"critical","cvss":"10.0","cvss_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","cvss_version":3.0,"cwe":"CWE-918, CWE-94","cve":"CVE-2026-15409, CVE-2026-15410","cpe":"","summary":"<p>\r\n\r\n</p><p><span style=\"font-size: 11pt; color: rgb(181, 99, 8);\">1) CVE-2026-15409 - A Server-side request forgery (SSRF) </span></p><p>A Server-side request forgery (SSRF) vulnerability has been identified in the SMA1000 Appliance Work Place interface. A remote unauthenticated attacker could potentially cause the appliance to make requests to unintended location.\r\n<br></p><p>CVSS Score: 10.0<br>\r\nCVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H<br>\r\nCWE-918: Server-Side Request Forgery (SSRF)\r\n\r\n</p><p>\r\n\r\n</p><p><span style=\"font-size: 11pt; color: rgb(181, 99, 8);\">2) CVE-2026-15410 - Post-authentication improper control of generation of code ('Code Injection')</span></p><p>Post-authentication improper control of generation of code ('Code Injection') vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) which in specific conditions could potentially enable a remote authenticated attacker as administrator to execute arbitrary OS commands.\r\n<br></p><p>CVSS Score: 7.2<br>\r\nCVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H<br>\t\r\nCWE-94: Improper Control of Generation of Code ('Code Injection')\r\n</p><p></p><p>\r\n\r\n</p>\r\n\r\n<p><b>IMPORTANT:</b> SonicWall PSIRT has investigated multiple cases indicating the active exploitation of the vulnerabilities described in this advisory. Customers are strongly urged to upgrade to the hotfix release as soon as possible to remediate these vulnerabilities.</p>","is_workaround_available":false,"workaround":"None.","detail":"<p></p><p><span style=\"font-weight: bolder; background-color: rgb(255, 255, 0);\">Indicators of Compromise (IOCs)</span></p><p></p><p class=\"isSelectedEnd\">Customers should review logs for signs including, but not limited to:</p><ul data-spread=\"false\"><li>- i<span data-teams=\"true\">f in extraweb_access.log are mentioned requests to /__api__/login or /__api__/logout with http 200 status</span></li><li><span data-teams=\"true\">- <span data-teams=\"true\">if in extraweb_access.log are mentioned requests to /wsproxy with suspicious host parameters with 101 http status</span></span></li><li><span data-teams=\"true\"><span data-teams=\"true\">- <span data-teams=\"true\">if in ctrl-service.log are mentioned hotfix rollbacks with path traversal names</span></span></span></li><li><span data-teams=\"true\"><span data-teams=\"true\"><span data-teams=\"true\">-&nbsp;if /var/lib/unit/conf.json contains routes for /__api__/login or /__api__/logout (these URIs do not exist in legitimate configuration)<br></span></span><br></span></li></ul><p><b style=\"background-color: rgb(255, 255, 0);\">Recommended Actions</b></p><p class=\"isSelectedEnd\">Customers are strongly encouraged to:</p><ul data-spread=\"false\"><li>- Upgrade to the latest hotfix version. (The latest platform-hotfix is available for download on <a href=\"https://www.mysonicwall.com/\" target=\"_blank\">mysonicwall.com</a>)</li><li>- Perform a thorough forensic analysis of the system to determine if any indicators of compromise (IoCs) are present.</li><li>- If IOCs are present on the system:</li><li>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; - Re-image (hardware) or re-deploy (virtual) appliances.</li><li>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; - Change user &amp; administrator passwords.</li><li>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; - Reset TOTP tokens</li></ul>","affected_products":"<table class=\"MsoNormalTable\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\" width=\"629\" style=\"color: rgb(51, 51, 51); font-family: &quot;Nunito Sans&quot;, sans-serif; font-size: 13px; background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial; width: 471.5pt;\"><tbody><tr style=\"height: 0.2in;\"><td width=\"413\" nowrap=\"\" valign=\"bottom\" style=\"width: 310pt; border: 1pt solid windowtext; background: rgb(237, 125, 49); padding: 0in 5.4pt; height: 0.2in;\"><p class=\"MsoNormal\" style=\"text-align: center;\"><b><span style=\"font-size: 10pt;\">Affected Product</span></b></p></td><td width=\"215\" nowrap=\"\" valign=\"bottom\" style=\"width: 161.5pt; border: 1pt solid windowtext; background: rgb(237, 125, 49); padding: 0in 5.4pt; height: 0.2in;\"><p class=\"MsoNormal\" style=\"text-align: center;\"><b><span style=\"font-size: 10pt;\">Affected Version(s)</span></b><span style=\"font-size: 10pt;\"><o:p></o:p></span></p></td></tr><tr style=\"height: 0.2in;\"><td width=\"413\" nowrap=\"\" valign=\"top\" style=\"width: 310pt; border-right: 1pt solid windowtext; border-bottom: 1pt solid windowtext; border-left: 1pt solid windowtext; border-image: initial; border-top: none; padding: 0in 5.4pt; height: 0.2in;\"><p class=\"MsoNormal\" style=\"text-align: left;\">SMA1000 Models - 6210, 7210, 8200v&nbsp;</p></td><td width=\"215\" nowrap=\"\" valign=\"top\" style=\"width: 161.5pt; border-top: none; border-left: none; border-bottom: 1pt solid windowtext; border-right: 1pt solid windowtext; padding: 0in 5.4pt; height: 0.2in;\"><p class=\"MsoNormal\" style=\"text-align: center;\">12.4.3-03245, 12.4.3-03387 and 12.4.3-03434 (platform-hotfix)</p><p class=\"MsoNormal\" style=\"text-align: center;\"><span class=\"ui-provider a b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak\" dir=\"ltr\">1</span>2.5.0-02283, 12.5.0-02624 and 12.5.0-02800 (platform-hotfix)</p></td></tr></tbody></table><br><p><i>Note: These vulnerabilities do not affect SSL-VPN running on SonicWall firewalls or the SMA 100 Series product line.</i></p><i>\r\n\r\nThe latest platform-hotfix is available for download on <a href=\"https://www.mysonicwall.com/\" target=\"_blank\">mysonicwall.com</a></i>","fixed_software":"<table class=\"MsoNormalTable\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\" width=\"629\" style=\"color: rgb(51, 51, 51); font-family: &quot;Nunito Sans&quot;, sans-serif; font-size: 13px; background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial; width: 471.5pt;\"><tbody><tr style=\"height: 0.2in;\"><td width=\"413\" nowrap=\"\" valign=\"bottom\" style=\"width: 310pt; border: 1pt solid windowtext; background: rgb(237, 125, 49); padding: 0in 5.4pt; height: 0.2in;\"><p class=\"MsoNormal\" style=\"text-align: center;\"><b><span style=\"font-size: 10pt;\">Fixed Product</span></b></p></td><td width=\"215\" nowrap=\"\" valign=\"bottom\" style=\"width: 161.5pt; border: 1pt solid windowtext; background: rgb(237, 125, 49); padding: 0in 5.4pt; height: 0.2in;\"><p class=\"MsoNormal\" style=\"text-align: center;\"><b><span style=\"font-size: 10pt;\">Fixed Version(s)</span></b><span style=\"font-size: 10pt;\"><o:p></o:p></span></p></td></tr><tr style=\"height: 0.2in;\"><td width=\"413\" nowrap=\"\" valign=\"top\" style=\"width: 310pt; border-right: 1pt solid windowtext; border-bottom: 1pt solid windowtext; border-left: 1pt solid windowtext; border-image: initial; border-top: none; padding: 0in 5.4pt; height: 0.2in;\"><p class=\"MsoNormal\" style=\"text-align: justify;\">SMA1000 Models - 6210, 7210, 8200v</p></td><td width=\"215\" nowrap=\"\" valign=\"top\" style=\"width: 161.5pt; border-top: none; border-left: none; border-bottom: 1pt solid windowtext; border-right: 1pt solid windowtext; padding: 0in 5.4pt; height: 0.2in;\"><p class=\"MsoNormal\" style=\"text-align: center;\"><span class=\"ui-provider a b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak\" dir=\"ltr\">12.4.3-03453 (platform-hotfix) and higher versions.</span></p><p class=\"MsoNormal\" style=\"text-align: center;\"><span class=\"ui-provider a b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak\" dir=\"ltr\">12.5.0-02835 (platform-hotfix) and higher versions.</span></p></td></tr></tbody></table><br>","credits":"<p>Internally discovered and reported by Adam Babis of SonicWall PSIRT.</p><p>Sean Koessel and Steven Adair of <a href=\"http://www.volexity.com\" target=\"_blank\">Volexity</a> - helped advance SonicWall's PSIRT investigation, leading to the identification of an additional IOC.</p><p><br></p>","revision_history":"<ul class=\"summary-detail-item-label-group\">\r\n    <li class=\"summary-detail-label\">Version</li>\r\n    <li class=\"summary-detail-item\"><p>1.0</p></li>\r\n</ul>\r\n<ul class=\"summary-detail-item-label-group\">\r\n    <li class=\"summary-detail-label\">Date</li>\r\n    <li class=\"summary-detail-item\">\r\n        <p>14-Jul-2026</p>\r\n    </li>\r\n</ul>\r\n<ul class=\"summary-detail-item-label-group\">\r\n    <li class=\"summary-detail-label\">Description</li>\r\n    <li class=\"summary-detail-item\"><p>Initial Release.</p></li><p>---------------------------------------</p></ul>\r\n<ul class=\"summary-detail-item-label-group\">\r\n    <li class=\"summary-detail-label\">Version</li>\r\n    <li class=\"summary-detail-item\"><p>1.1</p></li>\r\n</ul>\r\n<ul class=\"summary-detail-item-label-group\">\r\n    <li class=\"summary-detail-label\">Date</li>\r\n    <li class=\"summary-detail-item\">\r\n        <p>14-Jul-2026</p>\r\n    </li>\r\n</ul>\r\n<ul class=\"summary-detail-item-label-group\">\r\n    <li class=\"summary-detail-label\">Description</li>\r\n    <li class=\"summary-detail-item\"><p>Updated Credits section - Updated the Credits section to acknowledge Sean Koessel and Steven Adair of Volexity for their contribution to the investigation.</p></li>\r\n</ul>","references":"","vuln_status":"Applicable","status":"published","is_published":true,"patterns":[],"vulnerable_products":[{"id":5,"name":"Secure Mobile Access (SMA) 1000 Series"}]}