Signal

SonicWall SMA1000 zero-days exploited in active attacks, urgent patches released

Evidence first: scan the strongest sources, then decide whether to go deeper.

Published 2026-07-14 20:27 UTCUpdated 2026-07-15 16:19 UTC
rss
cveexploitssecurity_advisoriesincident_responsemalware
Trend in the last 24h
Current brief openSource links open
This current signal is open on the public brief with summary, metadata, source links, and full evidence. Pro adds compare-over-time, alerts, exports, and workflow.
No card needed for the free brief.
Evidence trail (top sources)
top sources (4 domains)domains are deduped. counts indicate coverage, not truth.
4 top sources shown
Rapid7 blog on SonicWall SMA1000 zero-days
rapid7.com · rapid7.com · 2026-07-15 16:19 UTC
Overview

On July 14, 2026, SonicWall disclosed two critical zero-day vulnerabilities affecting its SMA1000 Series remote access appliances: CVE-2026-15409, a server-side request forgery (SSRF) vulnerability with a CVSS score of 10.0, and CVE-2026-15410, a high-severity...

Entities
SonicWallRapid7Cybersecurity and Infrastructure Security AgencyCanadian Centre for Cyber SecurityCERT-FRNCSC Netherlands
Score total
1.86
Momentum 24h
8
Posts
8
Origins
7
Source types
1
Duplicate ratio
0%
Why now
  • SonicWall published the advisory and patches on July 14, 2026, following observed active exploitation.
  • CISA and other cybersecurity agencies have added these CVEs to their Known Exploited Vulnerabilities databases, highlighting urgency.
  • Multiple international CERTs have issued alerts, emphasizing the global impact and need for rapid response.
Why it matters
  • These zero-day vulnerabilities allow attackers to gain unauthorized access and execute commands on critical remote access appliances.
  • Active exploitation in the wild increases risk of data breaches and network compromise for organizations using affected SonicWall SMA1000 devices.
  • Immediate patching is essential to prevent attackers from leveraging these flaws for further attacks or lateral movement.
LLM analysis
Topic mix: lowPromo risk: lowSource quality: high
Recurring claims
  • Two zero-day vulnerabilities CVE-2026-15409 and CVE-2026-15410 affect SonicWall SMA1000 appliances and are actively exploited in the wild.
  • CVE-2026-15409 is a critical SSRF vulnerability allowing unauthenticated remote attackers to open websocket tunnels to localhost services.
  • CVE-2026-15410 is a high-severity post-authentication code injection vulnerability enabling arbitrary OS command execution as root.
How sources frame it
  • Rapid7 MDR Team: neutral
  • Canadian Centre For Cyber Security: neutral
  • NCSC Netherlands: neutral
All evidence
All evidence
Rapid7 blog on SonicWall SMA1000 zero-days
rapid7.com · rapid7.com · 2026-07-15 16:19 UTC
SonicWall official vulnerability details
psirt.global.sonicwall.com · psirt.global.sonicwall.com · 2026-07-15 02:00 UTC
NCSC-2026-0239 [1.00] [H/H] Zero-Day kwetsbaarheden verholpen in SonicWall SMA1000
NCSC NL Security Advisories · advisories.ncsc.nl · 2026-07-15 09:56 UTC
Two SonicWall SMA 1000 Zero-Days Exploited, One Could Enable Admin Commands
thehackernews · thehackernews.com · 2026-07-15 05:30 UTC
SonicWall Issues Urgent SMA Patch Warning for Two Zero-Day Exploits
SecurityWeek · securityweek.com · 2026-07-15 05:19 UTC
Show filters & breakdown
Posts loaded: 0Publishers: 5Origin domains: 5Duplicates: -
Showing 5 / 0
Top publishers (this list)
  • rapid7.com (1)
  • psirt.global.sonicwall.com (1)
  • NCSC NL Security Advisories (1)
  • thehackernews (1)
  • SecurityWeek (1)
Top origin domains (this list)
  • rapid7.com (1)
  • psirt.global.sonicwall.com (1)
  • advisories.ncsc.nl (1)
  • thehackernews.com (1)
  • securityweek.com (1)