CVE-2026-15409: SonicWall SMA1000 SSRF Zero-Day (CVSS 10.0) — Find Exposed Appliances — RECON Blog
Professional network intelligence for the field. 18 instrument modules — ping, traceroute, DNS, port scan, WHOIS, TLS, LAN sweep, throughput — in one tactical iOS workspace.
Designed for security/IR teams, military NetOps, network engineers and sysadmins.
JULY 15, 2026CVSS 10.0 · CRITICAL · ACTIVELY EXPLOITED5 MIN READ<br>CVE-2026-15409: SonicWall SMA1000 SSRF Zero-Day (CVSS 10.0) — How to Find Exposed Appliances on Your Network<br>SonicWall SMA1000 secure remote access appliances contain a server-side request forgery vulnerability in the WorkPlace portal interface that lets unauthenticated attackers force the appliance to make requests to unintended locations. CVSS 10.0, actively exploited as a zero-day, CISA KEV listed on July 14, 2026 with a BOD 26-04 remediation deadline of July 17 for FCEB agencies. A second vulnerability, CVE-2026-15410, enables post-authentication OS command injection through the Management Console and is also being exploited.<br>The Vulnerability<br>CVE-2026-15409 (CWE-918: Server-Side Request Forgery) is a critical SSRF vulnerability in the SMA1000 Appliance WorkPlace interface. A remote unauthenticated attacker can craft requests that force the appliance to make arbitrary server-side requests, potentially reaching internal resources that should not be externally accessible. The vulnerability requires no authentication, no user interaction, and has low attack complexity.<br>CVSS: 10.0 Critical (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) — Scope Changed — SonicWall Advisory SNWLID-2026-0008<br>CWE: CWE-918 (Server-Side Request Forgery)<br>AFFECTED: SMA 6210, SMA 7210, SMA 8200v, and CMS — builds 12.4.3-03245, 12.4.3-03387, 12.4.3-03434, 12.5.0-02283, 12.5.0-02624, 12.5.0-02800<br>FIXED: 12.4.3-03453 (platform-hotfix) and later, 12.5.0-02835 (platform-hotfix) and later<br>EXPLOITED: Active exploitation confirmed — CISA KEV listed July 14, 2026 · BOD 26-04 deadline July 17, 2026 (FCEB agencies)<br>RELATED: CVE-2026-15410 (post-auth OS command injection, CVSS 7.2, also actively exploited and CISA KEV listed)
The "Scope: Changed" CVSS metric is significant — it means the vulnerability impacts resources beyond the vulnerable component itself. An SSRF in a VPN appliance sitting at the network perimeter can pivot to internal services, cloud metadata endpoints, or management interfaces that would otherwise be unreachable from the internet. This is why SonicWall's CVSS assessment rates it 10.0 despite "only" being an SSRF.<br>The Second Vulnerability: CVE-2026-15410<br>CVE-2026-15410 (CWE-94: Code Injection, CVSS 7.2) is a post-authentication OS command injection flaw in the SMA1000 Appliance Management Console (AMC). An authenticated administrator can execute arbitrary operating system commands. While the authentication requirement limits direct exploitation, SonicWall confirmed active exploitation of both vulnerabilities but has not disclosed whether attackers chained them together.<br>SonicWall confirmed both vulnerabilities are being actively exploited. Both are CISA KEV listed with the same July 17 deadline. The same platform hotfixes address both CVEs.<br>SonicWall SMA: A Recurring Target<br>This is the latest in a series of SMA appliance zero-days. SonicWall SMA devices have been targeted by threat actors including suspected Chinese groups in previous campaigns. VPN and remote access appliances remain high-value targets because they sit at the network edge, handle authentication, and are often exposed to the internet by design.<br>Investigation Workflow<br>SMA1000 appliances are purpose-built VPN/remote access gateways, typically internet-facing. They expose distinctive web interfaces that are identifiable through port scanning, TLS inspection, and HTTP response analysis.<br>1. Port Scan: Find SMA1000 Appliances<br>SMA1000 appliances use several default ports. The WorkPlace portal (where CVE-2026-15409 lives) and the Management Console (where CVE-2026-15410 lives) are the primary targets:<br>• 443 — HTTPS (CMS communication; also commonly configured as WorkPlace SSL port)<br>• 8443 — HTTPS (Appliance Management Console — where CVE-2026-15410 resides)<br>• 8085 — HTTP (WorkPlace portal default — where CVE-2026-15409 resides)<br>• 8444 — HTTPS (CMS communication)<br>• 8080 — Tunnel Service<br>2. HTTP Headers: Identify SMA1000 Interfaces<br>SMA1000 appliances return identifiable HTTP responses:<br>• Server: SMA/% — SonicWall SMA server header pattern<br>• HTML title WorkPlace — the user-facing portal where CVE-2026-15409 resides<br>• HTML title Appliance Management Console Login — the admin interface where CVE-2026-15410 resides<br>• HTML title Central Management Console Login — CMS management interface<br>• Favicon hash 16866410 (MMH3) — SonicWall SMA favicon fingerprint<br>3. TLS Inspect: Examine Certificates<br>Pull the TLS certificate on ports 443 and 8443. Look for:<br>• Subject CN or SAN containing sma, vpn, remote, or access<br>• Default self-signed certificates from SonicWall (common...