Two flaws in SonicWall's SMA1000 remote access appliances are being exploited in live attacks, according to a July 14 alert from the US Cybersecurity and Infrastructure Security Agency (CISA). The agency added both bugs to its Known Exploited Vulnerabilities catalog, the list it maintains only for flaws with confirmed evidence of exploitation, and set a deadline for federal agencies to patch or pull the affected devices.
What is affected
The SMA1000 (Secure Mobile Access) is an appliance that sits at the edge of a corporate network and brokers remote access for staff and contractors, which makes it an attractive target: compromise the gateway and you are already inside. CISA flagged two issues. CVE-2026-15409 is a server-side request forgery (SSRF) flaw, a bug class that tricks the appliance into making network requests on the attacker's behalf, often to reach internal systems that should be unreachable from outside. CVE-2026-15410 is a code injection flaw that can let an attacker run their own commands on the device.
Why it matters
Internet-facing security appliances have become one of the most reliable ways into large organisations, because they are exposed by design and often patched slowly. In recent weeks alone, CISA has flagged actively exploited flaws in Cisco and PTC products, and attackers have been caught breaking into Palo Alto VPNs without a password. SonicWall's SMA line has been a repeated entry point for intruders in the past, so confirmed exploitation here is a warning worth acting on quickly.
What you should do
Apply SonicWall's fixes for the SMA1000 immediately. Because the appliance is exposed to the internet and now under active attack, treat any unpatched device as potentially compromised: review logs for unexpected requests and command execution, rotate credentials, and check for unauthorised accounts or configuration changes. Where a device cannot be patched at once, restrict its management interfaces and limit which networks it can reach.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.