Description
Post-authentication improper control of generation of code ('Code Injection') vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) which in specific conditions could potentially enable a remote authenticated attacker as administrator to execute arbitrary OS commands.
In plain language
AI Act nowCVE-2026-15410 is a bug in the SMA1000 Appliance Management Console that lets a logged-in administrator run operating-system commands; because it’s already being used in real attacks, most small businesses should act now if they use this console.
CVE-2026-15410 is a post-authentication code injection in the SMA1000 Appliance Management Console (AMC) that allows a remote authenticated administrator to execute arbitrary OS commands via the web console interface; it’s listed in CISA KEV and exploitation has been confirmed in the wild.
What to do now
- Confirm whether you use the SMA1000 Appliance Management Console (AMC) and whether any administrator accounts exist for it.
- Assume risk if an attacker can reach the AMC web console and obtain administrator access (even briefly).
- Check with your SonicWall support/Vendor advisory for the specific mitigation details for CVE-2026-15410, since no patch version is currently listed.
- Reduce exposure immediately by restricting network access to the AMC web console (allow only trusted admin IPs/VPN) and block public/internet reachability.
- Follow CISA guidance to prioritize risk-based security updates for this asset and meet the CISA remediation deadline of 2026-07-17.
CVSS Vector Breakdown
AV:NAttack VectorAC:LAttack ComplexityPR:HPrivileges RequiredUI:NUser InteractionS:UScopeC:HConfidentialityI:HIntegrityA:HAvailabilityWeaknesses
Affected Products
Exploitability
Required action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
Attack Graph
Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/⌘ + scroll to zoom, or go fullscreen.
MITRE ATT&CK
2 techniquesReferences
- Rapid7 MDR Team Discovers New SonicWall SMA1000 Zero Days being Actively Exploited (CVE-2026-15409, CVE-2026-15410)en·Rapid7 Blog·
- Two SonicWall SMA 1000 Zero-Days Exploited, One Could Enable Admin Commandsen·The Hacker News·
- SonicWall Issues Urgent SMA Patch Warning for Two Zero-Day Exploitsen-us·SecurityWeek·
- SonicWall warns of SMA1000 flaws exploited in zero-day attacks, patch nowen-us·BleepingComputer·
- SonicWall SMA appliances targeted in zero-day attacks (CVE-2026-15409, CVE-2026-15410)en-us·Help Net Security·
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2026-15410 and every CVE in our database. Create a free account — no credit card required.
Create Free Account