CVE-2026-15409
Description
A Server-side request forgery (SSRF) vulnerability has been identified in the SMA1000 Appliance Work Place interface. A remote unauthenticated attacker could potentially cause the appliance to make requests to unintended location.
In plain language
AI Act nowCVE-2026-15409 is a critical flaw in the sma1000 appliance that lets an attacker make the device send network requests to unintended places—without logging in—and it is already being exploited in the wild, so small businesses should act immediately if they use this appliance.
Unauthenticated SSRF in the SMA1000 Appliance Work Place interface allows remote attackers to induce the device to make HTTP requests to arbitrary locations (no authentication or user interaction required), enabling internal network targeting and potential data theft; the issue is confirmed in CISA KEV and being exploited in the wild.
What to do now
- Identify whether you use the sma1000 appliance and confirm it has the SMA1000 Appliance Work Place interface enabled.
- Check with your SonicWall/SMA vendor portal, support ticket, or release notes for any mitigation or fixed firmware/package for CVE-2026-15409, since patch details are not included here.
- If no fix is available yet, follow SonicWall’s vendor instructions for mitigations for CVE-2026-15409 and reduce exposure per CISA guidance.
- Contact your IT/security contact to begin forensic review for signs of compromise related to unexpected outbound requests from the appliance immediately.
CVSS Vector Breakdown
AV:NAttack VectorAC:LAttack ComplexityPR:NPrivileges RequiredUI:NUser InteractionS:CScopeC:HConfidentialityI:HIntegrityA:HAvailabilityWeaknesses
Affected Products
Exploitability
Required action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
Attack Graph
Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/⌘ + scroll to zoom, or go fullscreen.
MITRE ATT&CK
2 techniquesReferences
- Rapid7 MDR Team Discovers New SonicWall SMA1000 Zero Days being Actively Exploited (CVE-2026-15409, CVE-2026-15410)en·Rapid7 Blog·
- Two SonicWall SMA 1000 Zero-Days Exploited, One Could Enable Admin Commandsen·The Hacker News·
- SonicWall Issues Urgent SMA Patch Warning for Two Zero-Day Exploitsen-us·SecurityWeek·
- SonicWall warns of SMA1000 flaws exploited in zero-day attacks, patch nowen-us·BleepingComputer·
- SonicWall SMA appliances targeted in zero-day attacks (CVE-2026-15409, CVE-2026-15410)en-us·Help Net Security·
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2026-15409 and every CVE in our database. Create a free account — no credit card required.
Create Free Account