Product Notice: SMA 1000 Series affected by Multiple Vulnerabilities

1784004323

Overview

  • CVE-2026-15409: Server-Side Request Forgery – CVSS Score: 10.0 (Critical)
  • CVE-2026-15410: Remote Code Execution – CVSS Score: 7.2 (High)

SonicWall Secure Mobile Access 1000 Series 12.4.3 and 12.5.0 firmware (see impacted versions) are affected by this vulnerability.

 

IMPORTANT: These vulnerabilities have been confirmed as being actively exploited in the wild.

This vulnerability is unrelated to any other reported vulnerability on other SonicWall products. 

Product Impact

Please review the table below to see the products and their versions that are impacted:

Impacted Product(s)

Impacted Versions

SMA 1000 (6210, 7210, 8200v & CMS – all hypervisors)

12.4.3-03245, 12.4.3-03387, 12.4.3-03434

12.5.0-02283, 12.5.0-02624, 12.5.0-02800

 

Remediation

Impacted Product(s)

Impacted Versions

Fixed Version

SMA 1000 (6210, 7210, 8200v & CMS – all hypervisors)

12.4.3-03245, 12.4.3-03387, 12.4.3-03434

 

12.5.0-02283, 12.5.0-02624, 12.5.0-02800

12.4.3-03453 and higher versions

12.5.0-02835 and higher versions

 

All organizations with deployments of SMA1000 appliances (whether virtual or physical) on affected versions must perform the following: 

  • Upgrade to the latest hotfix version – available via https://www.mysonicwall.com
  • Perform a thorough forensic analysis of the system to determine if any indicators of compromise (IoCs) are present
  • If IOCs are present on the system:
    • Re-image (hardware) or re-deploy (virtual) appliances
    • Change user & administrator passwords
    • Reset TOTP tokens

Note: Configuration backups should only be used if the backup pre-dates the installation of the December hotfix versions (12.4.3-03245 & 12.5.0-02283).  When no configuration backup exists prior to installation of the December hotfix, it is recommended to closely audit the configuration to ensure it has not been tampered with.     

Indicators of Compromise

  • extraweb_access.log – requests to the following with http 200 status:
    •  /_api_/login
    • /__api__/logout
  • extraweb_access.log – requests to /wsproxy which include suspicious host parameters with http status 101
  • ctrl-service.log – any entries with “hotfix removal” which include a path traversal name
  • /var/lib/unit/conf.json - contains routes for: 
    • /__api__/login
    • /__api__/logout 

Note: For guidance on locating these indicators, or for all other questions related to this vulnerability, please open a SonicWall Support case through Contact Support - SonicWall.

Related information 

 

Change Log:

  • 2026-07-14: Added var/lib/unit/conf.json IOC.
  • Previous Alert
    Security Advisory: Firmware Update Required — Gen 6, Gen 7, and Gen 8 Firewalls
    Read More