Tech Translated

IT Security & Technology Blog

Practical IT insights for Australian businesses. Our team covers cybersecurity advisories, compliance updates, and plain-English explainers on the technology your business relies on, published regularly as the landscape shifts.

Security alert graphic for SonicWall SMA 1000 zero-day vulnerabilities CVE-2026-15409 and CVE-2026-15410

SonicWall SMA appliances under active attack: patch or disconnect now

SonicWall has confirmed that attackers are actively exploiting two zero-day vulnerabilities in its SMA 1000 series appliances, the same remote-access devices many Australian businesses rely on for secure VPN and remote work.

Both zero-days are being actively exploited right now and work together to give an unauthenticated attacker remote code execution with admin privileges. If you run SonicWall SMA 1000 series appliances, this requires action today.

The Two Flaws

CVE-2026-15409 SSRF in the SMA Workplace portal (CVSS 10.0)

A server-side request forgery bug in the SMA Workplace portal that lets an unauthenticated attacker force the appliance to make arbitrary internal requests. The Workplace portal is internet-facing by design, which makes this the entry point for the attack chain.

CVE-2026-15410 Command injection in the management console

A post-authentication command injection flaw in the management console. On its own it requires an authenticated session. But chained with CVE-2026-15409, an attacker can reach it without ever logging in.

That chaining is the critical detail. Even if your management console is not directly exposed to the internet, an attacker who hits the Workplace interface first can pivot through the SSRF to reach it. We see this pattern regularly in Australian MSP environments where SonicWall SMA appliances sit at the edge of client networks.

What to Do Right Now

  • Apply the hotfix immediately if you run SMA 6210, 7210, or 8200v appliances. The patched versions are 12.4.3-03453 and 12.5.0-02835.
  • If you cannot patch today, restrict access to the SMA Workplace interface to known IP ranges, or take the appliance offline until you can.
  • Check your SMA logs for unusual outbound requests originating from the Workplace interface. That is the SSRF signature to look for.
  • If your IT provider manages a SonicWall for you, check with them today. Do not assume it has been patched.

US federal agencies have been given until 17 July to patch or disconnect. Australian businesses should treat that same date as their own deadline.

Not Sure Whether Your Appliance Is Affected?

All IT Services manages SonicWall and other firewall platforms as part of our cybersecurity practice. If you are unsure whether your appliance is patched or exposed, get in touch today.


Related Guide

Cybersecurity for Sydney SMBs

Explore our complete guide to protecting your business from cyber threats.

Read the Full Guide →