HOMEVULNERABILITIESCVE-2026-15409
CRITICALCISA KEVIN THE WILD

CVE-2026-15409

CWE-918Published: July 14, 2026· Updated: Jul 16, 2026

10.0
CVSS v3.1
EPSS:1.40%probability of exploitation in 30 daysPercentile:69.5th

Official Description

A Server-side request forgery (SSRF) vulnerability has been identified in the SMA1000 Appliance Work Place interface. A remote unauthenticated attacker could potentially cause the appliance to make requests to unintended location.

NVD Source

Risk Analysis

This flaw in the SMA1000 Appliance WorkPlace interface allows an unauthenticated attacker to force the appliance to make requests to unintended external locations. The confirmed exploitation in the wild indicates this is a critical vulnerability despite the lack of a CVSS score.

Active exploitation of this vulnerability has been observed in the wild. This vulnerability is remotely exploitable without authentication.

Recommended Action

Apply the latest security updates for the SMA1000 Appliance WorkPlace interface. Restrict network access to the appliance where possible.

Generated by the CTIWATCH analysis pipeline from this CVE's metadata (CVSS, EPSS, KEV status, exploit intelligence). Verify against vendor advisories before acting.

Technical Analysis

CVE-2026-15409 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 10.0.

The vulnerability has a "Changed" scope, meaning successful exploitation can impact components beyond the vulnerable component itself — such as the host operating system or adjacent services.

CISA has added CVE-2026-15409 to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. U.S. federal agencies are required to patch this within the mandated timeframe, and all organizations should treat remediation as urgent.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.None
User InteractionNone
ScopeChanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected Vendors & Products

sonicwall5 product(s)
sma6210 firmwaresma6210sma7210 firmwaresma7210sma8200v
Source: NVD CPE · 21 total CPE entries

Exploit & PoC Resources

ACTIVE EXPLOITATIONConfirmed exploitation in the wild
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

News & Research Mentioning CVE-2026-15409

Rapid7 MDR Team Discovers New SonicWall SMA1000 Zero Days being Actively Exploited (CVE-2026-15409, CVE-2026-15410)
Rapid7 Blog· Jul 15, 2026

Overview On July 14, 2026, SonicWall published a security advisory addressing two vulnerabilities affecting SMA1000 Series remote access appliances, including the critical server-side request forgery (SSRF) vulnerability CVE-2026-15409 (CVSS 10.0) and the high-severity code injection vulnerability CVE-2026-15410. The advisory urges customers to immediately apply the latest platform hotfix releases. Successful exploitation of CVE-2026-15409 permits an unauthenticated attacker to open a websocket-based tunnel to arbitrary localhost-only services, while CVE-2026-15410 is a local privilege escalation that permits an attacker with access to an internal service listening on port 8188 on localhost to execute arbitrary operating system commands as root via a malicious path traversal-based remove_hotfix workflow. Both vulnerabilities are being actively exploited in the wild. Prior to SonicWall’s official vulnerability disclosure, Rapid7’s Managed Detection and Response team observed active, tar

Two SonicWall SMA 1000 Zero-Days Exploited, One Could Enable Admin Commands
The Hacker News· Jul 15, 2026

SonicWall has warned of active exploitation of two zero-day vulnerabilities impacting Secure Mobile Access (SMA) 1000 series appliances, one of which could be exploited to achieve arbitrary command execution. The vulnerabilities are listed below - CVE-2026-15409 (CVSS score: 10.0) - A Server-side request forgery (SSRF) vulnerability that a remote unauthenticated attacker could exploit to [xlite_meta score:56 src:The Hacker News xlite_fp:1cbcf4613d2416ce4e472e9b452b3e8295503f8c739fc7923c4d6be704223a8b]

SonicWall Issues Urgent SMA Patch Warning for Two Zero-Day Exploits
SecurityWeek· Jul 15, 2026

SonicWall SMA1000 zero-day vulnerabilities CVE-2026-15409 and CVE-2026-15410 can be exploited for remote code execution. The post SonicWall Issues Urgent SMA Patch Warning for Two Zero-Day Exploits appeared first on SecurityWeek. [xlite_meta score:59 src:SecurityWeek xlite_fp:514485e4353ce6cf8a0c565310160de451186aae531887a36fa729a0664de6ad]

SonicWall warns of SMA1000 flaws exploited in zero-day attacks, patch now
BleepingComputer· Jul 14, 2026

SonicWall warns that threat actors have been exploiting two SMA1000 vulnerabilities, tracked as CVE-2026-15409 and CVE-2026-15410, in zero-day attacks and urges customers to install the newly released security updates. [...] [xlite_meta score:67 src:BleepingComputer xlite_fp:1e3249ac027419c676f2d7330e3b84bd01ceadd6aaf22fd82e66ae262aadd552]

CISA Adds Four Known Exploited Vulnerabilities to Catalog
CISA Alerts· Jul 14, 2026

CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2026-15409 SonicWall SMA1000 Appliances Server-Side Request Forgery Vulnerability CVE-2026-15410 SonicWall SMA1000 Appliances Code Injection Vulnerability CVE-2026-56155 Microsoft Active Directory Federation Services Insufficient Granularity of Access Control Vulnerability CVE-2026-56164 Microsoft SharePoint Server Missing Authentication for Critical Function Vulnerability These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 26-04: Prioritizing Security Updates Based on Risk establishes vuln [xlite_meta score:57 src:CISA Alerts xlite_fp:78090dbb2096762043f3b2804305e14d8f4fa0aafeb3f9e1e54dbaa107d29a65]

All References (2)

Quick Facts

CVE IDCVE-2026-15409
CVSS Score10.0 / 10
SeverityCRITICAL
WeaknessCWE-918
CISA KEVYES — Active Exploitation
ExploitIN THE WILD
EPSS (30d)1.40%
Affected1 vendor(s)
PublishedJul 14, 2026

Related CVEs (CWE-918)

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-15409 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
  • !CISA KEV: Federal agencies must patch per BOD 22-01 timeline
  • !Active exploitation confirmed — treat as P1
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.