SonicWall SMA appliances under active attack: patch or disconnect now
SonicWall has confirmed that attackers are actively exploiting two zero-day vulnerabilities in its SMA 1000 series appliances, the same remote-access devices many Australian businesses rely on for secure VPN and remote work.
The Two Flaws
CVE-2026-15409 SSRF in the SMA Workplace portal (CVSS 10.0)
A server-side request forgery bug in the SMA Workplace portal that lets an unauthenticated attacker force the appliance to make arbitrary internal requests. The Workplace portal is internet-facing by design, which makes this the entry point for the attack chain.
CVE-2026-15410 Command injection in the management console
A post-authentication command injection flaw in the management console. On its own it requires an authenticated session. But chained with CVE-2026-15409, an attacker can reach it without ever logging in.
What to Do Right Now
- Apply the hotfix immediately if you run SMA 6210, 7210, or 8200v appliances. The patched versions are 12.4.3-03453 and 12.5.0-02835.
- If you cannot patch today, restrict access to the SMA Workplace interface to known IP ranges, or take the appliance offline until you can.
- Check your SMA logs for unusual outbound requests originating from the Workplace interface. That is the SSRF signature to look for.
- If your IT provider manages a SonicWall for you, check with them today. Do not assume it has been patched.
US federal agencies have been given until 17 July to patch or disconnect. Australian businesses should treat that same date as their own deadline.
Not Sure Whether Your Appliance Is Affected?
All IT Services manages SonicWall and other firewall platforms as part of our cybersecurity practice. If you are unsure whether your appliance is patched or exposed, get in touch today.
Related Guide
Cybersecurity for Sydney SMBs
Explore our complete guide to protecting your business from cyber threats.
Read the Full Guide →
