SonicWall has issued an emergency advisory for two zero-day vulnerabilities in its Secure Mobile Access (SMA) 1000 appliances after confirming active exploitation in the wild. One flaw carries a maximum severity rating and allows unauthenticated attackers to execute arbitrary commands on affected devices.
The most critical flaw, CVE-2026-15409, is a server-side request forgery (SSRF) vulnerability with a CVSS score of 10.0. A remote, unauthenticated attacker can exploit this to run arbitrary code, potentially seizing full control of the appliance. A second zero-day, CVE-2026-15410, is also under active attack, though detailed technical specifics have not yet been publicly disclosed.
Compromising an SMA 1000 unit gives attackers direct access to a network's perimeter. These appliances govern critical remote access functions, making them prime targets for data theft, malware deployment, and lateral movement within corporate environments.
This incident is part of a recurring pattern of adversaries targeting SonicWall's internet-facing infrastructure. Past vulnerabilities in the related SMA 100 series have appeared in CISA's Known Exploited Vulnerabilities catalog, underscoring the persistent threat to edge access devices.
SonicWall's guidance is urgent and two-tiered. Organizations must immediately upgrade their SMA 1000 firmware to the vendor-supplied patched versions. Where immediate patching is not operationally feasible, administrators should disable the appliances' web management interfaces as a critical interim measure.
Following these emergency steps, a thorough incident response is essential. Administrators should audit their environments to locate all deployed SMA 1000 units, enable enhanced monitoring for suspicious outbound traffic, and carefully review access logs for indicators of compromise. Given the confirmed exploitation, these actions are vital for any organization relying on this hardware for secure remote access.
SonicWall 已針對其 Secure Mobile Access (SMA) 1000 設備中的兩個零日漏洞發布緊急安全公告,確認這些漏洞在野外遭到積極利用。其中一個漏洞被評為最高嚴重程度,允許未經認證的攻擊者在受影響的設備上執行任意命令。
最嚴重的漏洞 CVE-2026-15409 是一個伺服器端請求偽造 (SSRF) 漏洞,CVSS 評分為 10.0。未經認證的遠端攻擊者可利用此漏洞執行任意代碼,可能完全控制該設備。第二個零日漏洞 CVE-2026-15410 亦正遭積極攻擊,惟其詳細技術細節尚未公開披露。
入侵 SMA 1000 單元可讓攻擊者直接存取網絡邊界。這些設備管理著關鍵的遠端存取功能,使其成為竊取數據、部署惡意軟件以及在企業環境中進行橫向移動的主要目標。
此事件是針對 SonicWall 面向互聯網基礎設施的攻擊者反覆出現的模式之一。相關 SMA 100 系列設備過去的漏洞已出現在 CISA 的已知被利用漏洞目錄中,凸顯了對邊緣存取設備的持續性威脅。
SonicWall 的指引緊迫且分兩階段。各機構必須立即將其 SMA 1000 韌體升級至供應商提供的已修補版本。若在操作上無法立即進行修補,管理員應禁用設備的網頁管理介面作為關鍵的臨時措施。
在這些緊急步驟之後,徹底的事件應對至關重要。管理員應審計其環境以找出所有已部署的 SMA 1000 單元,啟用增強監控以偵測可疑的出站流量,並仔細檢查存取日誌以尋找入侵指標。鑑於漏洞已被證實遭利用,這些措施對依賴此硬件進行安全遠端存取的任何組織都至關重要。
