Canadian Cyber Security Journal
SOCIAL:
Filed under: Featured, TechTalk

SonicWall SMA1000 Zero-Days CVE-2026-15409 and CVE-2026-15410 Actively Exploited — What Canadian Organizations Must Do Before July 17

What Happened

SonicWall disclosed two actively exploited zero-day vulnerabilities in its SMA1000 series remote access appliances on July 15, 2026. The first, CVE-2026-15409, carries a CVSS score of 10.0. It is an unauthenticated server-side request forgery (SSRF) flaw in the Workplace web interface. An unauthenticated remote attacker exploiting this flaw forces the appliance to issue HTTP requests to arbitrary internal network destinations, giving the attacker a proxy into the internal environment without requiring credentials. The second, CVE-2026-15410, is a post-authentication OS command injection flaw (CVSS 7.2) in the Appliance Management Console, enabling an authenticated administrator-level account to run arbitrary operating system commands on the device itself.

SonicWall confirmed both vulnerabilities are being actively chained in incidents its teams investigated. Affected appliance models are the 6210, 7210, and 8200v. Patches are available in hotfix releases 12.4.3-03453 and 12.5.0-02835. CISA added both CVEs to its Known Exploited Vulnerabilities catalog and set a July 17, 2026 remediation deadline for US federal civilian executive branch agencies under BOD 26-04 — giving administrators fewer than three days to patch or disconnect.

Why This Matters for Canadian Organizations

SonicWall SMA1000 appliances are enterprise-grade remote access gateways deployed across Canada’s financial services, healthcare, government, and critical infrastructure sectors. An unauthenticated attacker exploiting CVE-2026-15409 forces the gateway to make requests on their behalf to internal network resources. In environments where the SMA1000 bridges remote users to internal systems, SSRF access enables enumeration of internal services, identification of additional attack targets, and staging of follow-on intrusions. Chaining CVE-2026-15410 elevates the attacker’s position from reconnaissance capability to persistent device-level control.

The three-day US federal deadline should be treated as a benchmark by Canadian public sector organizations and Crown corporations, not a target to wait for from CCCS. OSFI B-13 requires federally regulated financial institutions to manage material cyber vulnerabilities on a risk-prioritized basis. A CVSS 10.0 flaw with confirmed active exploitation in a perimeter access device meets any reasonable definition of material risk. Under PIPEDA, a breach originating from an unpatched remote access gateway carries breach-of-security-safeguards notification obligations. Organizations in provinces with substantially similar privacy legislation face equivalent disclosure requirements.

What to Do

Identify all SMA1000 appliances — models 6210, 7210, and 8200v — in your environment. Update immediately to hotfix release 12.4.3-03453 or 12.5.0-02835, available from SonicWall’s download portal. If patching before July 17 is not achievable, remove the appliance from internet exposure and route remote access through an alternative control until the patch is applied. Review appliance logs for anomalous SSRF-style outbound request patterns from the Workplace interface targeting internal hosts. Forward management console logs to your SIEM and alert on unexpected CLI session activity or authentication events. If active exploitation is suspected, activate your incident response process and assess your PIPEDA breach notification obligations.

Source: BleepingComputer

Enjoy this article? Don’t forget to share.