Latest SonicWall SonicOS vulnerabilities: CVE-2026-15409 and CVE-2026-15410 #

SonicWall disclosed that certain versions of the SMA1000 series appliances are susceptible to the following vulnerabilities:

  • CVE-2026-15409: A Server-Side Request Forgery (SSRF) vulnerability allows a remote unauthenticated attacker to access internal server resources and unintended locations. This vulnerability has been designated CVE-2026-15409 and has been rated critical with a CVSS score of 10.0.
  • CVE-2026-15410: A authenticated remote code execution (RCE) vulnerability in the SMA1000 Appliance Management Console (AMC) could allow an attacker with administrator permissions to execute OS commands. This vulnerability has been designated CVE-2026-15410 and has been rated high with a CVSS score of 7.2.

There is evidence that these vulnerabilities are being actively exploited in the wild and the vulnerability has been added to the CISA KEV list July 14th, 2026.

The following versions are affected:

  • SMA1000 Models - 6210, 7210, 8200v
    • 12.4.3-03245
    • 12.4.3-03387
    • 12.4.3-03434
    • 12.5.0-02283
    • 12.5.0-02624
    • 12.5.0-02800

    What is SonicWall SMA1000? #

    SonicWall Secure Mobile Access (SMA) 1000 series appliances are hardware security devices that provide zero-trust and secure access gateway support for businesses.

    What is the impact? #

    Successful exploitation of the vulnerabilities allows an unauthenticated attacker with network access to gain unauthorized access to management functionality, potentially allowing an attacker to access administrative endpoints and if the vulnerabilities can be chained potentially remote code execution.

    Are updates or workarounds available? #

    Users are encouraged upgrade affected systems to the following versions immediately:

    • Version 12.4.3-03453 or later
    • Version 12.5.0-02835 or later

      How to find potentially vulnerable systems with runZero #

      From the Asset Inventory, use the following query to locate potentially impacted assets:

      hw:="SonicWall SMA1000" AND os_version:>0 AND (os_version:=12.4.3 OR os_version:=12.5.0)

      May 2026: CVE-2026-0204, CVE-2026-0205, and CVE-2026-0206 #

      SonicWall disclosed that certain versions of SonicOS across Gen 6, Gen 7, and Gen 8 firewall platforms are susceptible to the following vulnerabilities:

      • CVE-2026-0204: A flaw in the access control mechanism may expose management interface functions under specific conditions. An unauthenticated attacker with adjacent network access could gain unauthorized access to management functionality, potentially leading to security control bypasses or administrative misuse. This vulnerability has been designated CVE-2026-0204 and has been rated high with a CVSS score of 8.0.
      • CVE-2026-0205: A post-authentication path traversal vulnerability allows an authenticated attacker with adjacent network access to interact with restricted services. This vulnerability has been designated CVE-2026-0205 and has been rated medium with a CVSS score of 6.8.
      • CVE-2026-0206: A post-authentication stack-based buffer overflow allows a remote, high-privileged attacker to cause a denial-of-service (DoS) by crashing the firewall. This vulnerability has been designated CVE-2026-0206 and has been rated medium with a CVSS score of 4.9.

      While unconfirmed, the initial authentication bypass (CVE-2026-0204) may provide an unauthenticated attacker with the privileges necessary to chain and exploit the subsequent path traversal and buffer overflow vulnerabilities.

      The following versions are affected:

      • Gen 6 Series (TZ 300/400/500/600, NSA 2650–6650, SOHO 250, SM 9200–9650): SonicOS version 6.5.5.1-6n and prior.
      • Gen 7 Series (TZ 270–670, NSa 2700–6700, NSsp 10700–15700, NSv 270-870): SonicOS 7.0.1-5169 and prior, and 7.3.1-7013 and prior.
      • Gen 8 Series (TZ 80–680, NSa 2800–5800): SonicOS version 8.1.0-8017 and prior.

      What is the impact? #

      Successful exploitation of the vulnerabilities allows an unauthenticated attacker with adjacent network access to gain unauthorized access to management functionality, potentially leading to security control bypasses.

      Are updates or workarounds available? #

      Users are encouraged upgrade affected systems to the following versions immediately:

      • Gen 6 Series: Upgrade to SonicOS version 6.5.5.2-28n or later.
      • Gen 7 Series: Upgrade to SonicOS version 7.3.2-7010 or later.
      • Gen 8 Series: Upgrade to SonicOS version 8.2.0-8009 or later.

        How to find potentially vulnerable systems with runZero #

        From the Asset Inventory, use the following query to locate potentially impacted assets:

        hw:="SonicWall%" AND os:="SonicWall SonicOS%" AND
          os_version:>0 AND ((os_version:<"6.5.5.2-28n") OR
          (os_version:>="7" AND os_version:<"7.3.2-7010") OR
          (os_version:>="8" AND os_version:<"8.2.0-8009"))

        July 2025: SMA1000 series, multiple vulnerabilities #

        SonicWall has disclosed four vulnerabilities, across two advisories (SNWLID-2025-0014 and SNWLID-2025-0012), in certain versions of SMA 100 series products (SMA 210, 410 and 500v).

        • An authenticated arbitrary file upload vulnerability exists in the SMA 100 series web management interface. A remote adversary with administrative privileges can exploit this flaw to upload arbitrary files to the system, potentially leading to remote code execution (RCE). This vulnerability has been designated CVE-2025-40599 and has been rated critical with a CVSS score of 9.1.
        • A stack-based buffer overflow vulnerability in the SMA 100 series web interface may allow a remote, unauthenticated adversary to achieve remote code execution (RCE) or cause a denial-of-service (DoS) condition. This vulnerability has been designated CVE-2025-40596 and has been rated high with a CVSS score of 7.3.
        • A heap-based buffer overflow vulnerability in the SMA 100 series web interface may allow a remote, unauthenticated adversary to achieve remote code execution (RCE) or cause a denial-of-service (DoS) condition. This vulnerability has been designated CVE-2025-40597 and has been rated high with a CVSS score of 7.5.
        • A reflected cross-site scripting (XSS) vulnerability in the SMA 100 series web interface may allow a remote, unauthenticated adversary to execute arbitrary client-side JavaScript code in a victim's web browser. This vulnerability has been designated CVE-2025-40598 and has been rated medium with a CVSS score of 6.1.

        The following versions are affected

        • SMA 100 Series (SMA 210, 410, 500v) version 10.2.1.15-81sv and prior versions

        What is the impact? #

        Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable device, potentially leading to complete system compromise.

        Are updates or workarounds available? #

        Users are encouraged to update to the latest version as quickly as possible:

        • SMA 100 Series (SMA 210, 410, 500v) upgrade to version 10.2.2.1-90sv or later

        There is no evidence these vulnerabilities are being exploited in the wild. However, due to latest threat intelligence from Google Threat Intelligence Group (GTIG), which highlights potential risks, SonicWall is strongly advising all organizations using SMA 100 series products to take additional measures detailed in the comments section of the security advisory SNWLID-2025-0014.

        How to find potentially vulnerable systems with runZero #

        From the Asset Inventory, use the following query to locate potentially vulnerable assets:

        hw:="SonicWall SMA100"

        May 2025: SMA1000 series, multiple vulnerabilities #

        SonicWall has issued an advisory for its SMA100 Series appliances. 

        What is the impact? #

        When chained together, the vulnerabilities could allow a remote authenticated attacker to bypass system checks leading to potential remote code execution. It does not affect SonicWall Firewall or SMA 1000 series appliances.

        Are updates or workarounds available? #

        The vendor advises users to update to platform-hotfix (10.2.1.15-81sv or later) as soon as possible. The vendor also advises its customers to configure multifactor authentication (MFA) and enable WAF on the appliance.

        How to find potentially vulnerable systems with runZero #

        From the Service Inventory, use the following query to locate systems running potentially vulnerable firmware:

        hw:"SonicWall SMA100" OR (_asset.protocol:http AND http.head.server:="SonicWALL SSL-VPN Web Server")

        January 2025: SMA1000 Series #

        SonicWall has issued an advisory for its SMA1000 Series appliances. The vendor reported that this vulnerability may be actively exploited in the wild.

        This vulnerability has been designated CVE-2025-23006 and has been assigned a CVSS score of 9.8 (critical).

        What is the impact? #

        The vulnerability would allow for a remote unauthenticated attacker to execute arbitrary operating system commands. The vulnerability was discovered within the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC). It does not affect SonicWall Firewall or SMA 100 series appliances.

        Are updates or workarounds available? #

        The vendor advises users to update to platform-hotfix (12.4.3-02854 or later) as soon as possible. The vendor also advises its customers to follow the steps outlined in the Best Practices section of the SMA1000 Administration Guide. Access to the console should also be restricted to trusted networks.

        How to find potentially vulnerable systems with runZero #

        From the Service Inventory, use the following query to locate systems running potentially vulnerable firmware:

        hw:"SonicWall SMA1000" OR _asset.protocol:http (last.html.title:="Appliance Management Console Login" OR last.html.title:="Central Management Console Login" OR http.head.server:="SMA/%" OR (favicon.ico.image.mmh3:"16866410" AND (last.html.title:"WorkPlace" OR html.title:"WorkPlace")))

        September 2024: SonicOS and SSLVPN #

        SonicWall disclosed a vulnerability that affects SonicOS management access and SSLVPN software on SonicWall Gen 5, Gen 6, in addition to Gen 7 devices running SonicOS version 7.0.1-5035 or earlier.

        CVE-2024-40766 is rated critical with CVSS score of 9.3, and potentially allows for unauthorized resource access by an attacker.

        What is the impact? #

        Successful exploitation of this vulnerability potentially results in unauthorized resource access and in some cases could lead to a DoS after causing vulnerable devices to crash.

        Are updates or workarounds available? #

        SonicWall recommends restricting management access to trusted sources or disabling WAN management from the public Internet. Additionally, SonicWall has released updated firmware which is available for download from mysonicwall.com.

        How to find potentially vulnerable systems with runZero #

        From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

        hw:"SonicWall"

        Written by Matthew Kienow

        Matthew Kienow is a software engineer and security researcher. Matthew previously worked on the Recog recognition framework, AttackerKB as well as Metasploit's MSF 5 APIs. He has also designed, built, and successfully deployed many secure software solutions; however, often he enjoys breaking them instead. He has presented his research at various security conferences including DerbyCon, Hack In Paris, and CarolinaCon. His research has been cited by CSO, Threatpost and SC Magazine.

        More about Matthew Kienow

        Written by Cale Black

        Cale Black is a vulnerability researcher at runZero. Previously Cale worked as a lead penetration tester and researcher where he reproduced and delivered over 200 N-day exploits, and developed for the go-exploit exploitation framework.

        More about Cale Black

        Written by runZero Team

        Great research and development is a team effort! Multiple runZero team members collaborated on this post. Go team!

        More about runZero Team
        Subscribe Now

        Get the latest news and expert insights delivered in your inbox.

        Welcome to the club! Your subscription to our newsletter is successful.

        Explore more runZero

        Product
        Announcing runZero 5.0: Exposure management built to outpace AI-driven attacks
        When you're up against AI, every minute counts. Get deep, actionable intelligence across your entire attack surface to close the gaps and hold the...
        Product Videos
        runZero 5.0: Platform Demo
        With the new 5.0 release, runZero is giving defenders the edge they need to succeed in the AI-attack era.
        runZero Perspective
        BOD 26-04: A new era of prioritized remediation
        A complete breakdown of CISA's BOD 26-04 directive. Learn how the shift to SSVC, risk-based KEV prioritization, and 3-day remediation impacts your...
        runZero Perspective
        Dawn of the apex agentic adversary
        When agentic AI can weaponize exploits in seconds, visibility is everything. Stop the predator with runZero’s exposure management for the AI-attack...
        Podcasts
        The shadow era AI, exploits, and cybersecurity's 90s comeback
        HD Moore explains how AI is turning hacking back to the 90s, generating permanent exploit skeleton keys and breaking traditional defense.
        Talks
        Identifying exposures at scale with BloodHound OpenGraph
        Traditional exposure management misses hidden attack paths. Learn how BloodHound and Cypher queries can uncover vulnerabilities beyond individual...
        Podcasts
        When is a vulnerability not a vulnerability?
        Attackers care about outcomes, not CVEs. Tod Beardsley joins Distilled Security to discuss reframing risk from checklist compliance to adversary...
        Podcasts
        Know Your Adversary with HD Moore
        runZero CEO HD Moore breaks down the myth of air-gapped networks, the impact of AI on security, and why asset connectivity is everything.

        See Results in Minutes

        See & secure your total attack surface. Even the unknowns & unmanageable.