Skip to main content
CVE-2026-15409 Critical Patch Available

CVE-2026-15409: SonicWall SMA1000 WorkPlace — Unauthenticated SSRF (CVSS 10.0)

CVE Details

CVE ID CVE-2026-15409
CVSS Score 10
Severity Critical
Vendor SonicWall
Product SMA1000 Appliance
Patch Status Available
Published July 15, 2026
EPSS Score 1.3%
CISA Patch Deadline ⚠ July 17, 2026 Federal deadline passed

Background

SonicWall SMA1000 is an enterprise remote access appliance series deployed as a secure gateway between external networks and internal corporate infrastructure. The WorkPlace interface is the end-user-facing web portal through which remote employees authenticate and access internal web applications, file shares, and other corporate resources. Because it is a remote access product, the WorkPlace portal is by design exposed to the internet — which makes unauthenticated vulnerabilities in this component especially dangerous.

CVE-2026-15409 is a server-side request forgery vulnerability (CWE-918) in the SMA1000 WorkPlace interface, carrying a CVSS 3.1 score of 10.0 CRITICAL (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). An unauthenticated attacker with network access to the WorkPlace portal can cause the appliance to issue arbitrary HTTP requests to internal network destinations. CISA added this to the Known Exploited Vulnerabilities catalog on July 14, 2026, with a mandatory remediation deadline of July 17. This CVE is tracked under SonicWall advisory SNWLID-2026-0008, which also covers companion code injection vulnerability CVE-2026-15410 in the Appliance Management Console.

Technical Mechanism

CWE-918 (Server-Side Request Forgery) occurs when an application fetches a remote resource based on user-supplied input without sufficiently validating or restricting the target URL or destination. In SMA1000 WorkPlace, an HTTP request-processing component accepts a crafted URL from an unauthenticated attacker, which the appliance fetches on the attacker’s behalf.

The changed scope metric (S:C) in the CVSS vector is the critical indicator: impact extends beyond the vulnerable appliance itself to any HTTP-accessible service on internal network segments reachable from the SMA1000 appliance. Because SMA1000 is positioned as a gateway with direct routed access to internal infrastructure, the appliance can typically reach:

  • Active Directory domain controllers and LDAP servers (ports 389, 636)
  • Internal web application servers
  • Network management systems and other security infrastructure
  • Internal API endpoints not intended to be externally accessible

The SSRF requires no authentication on the WorkPlace portal. An attacker submits a crafted request and the appliance issues the request to the internal destination, returning the response. Full C:H/I:H/A:H reflects that reachable internal systems can be fully compromised through the pivot.

Real-World Exploitation Evidence

CISA’s July 17 remediation deadline — three days after the July 14 KEV addition — confirms active exploitation in the wild. SonicWall VPN and remote access appliances are a consistently high-value target; threat actors monitor for SonicWall advisories and weaponize vulnerabilities rapidly.

SSRF against internet-exposed VPN appliances is an established attack pattern for ransomware operators and nation-state initial access brokers. In this class of vulnerability, attackers typically follow a progression: enumerate internal network topology by probing RFC 1918 address ranges via SSRF, then interact with internal services that lack authentication because they assumed internal-only exposure, then pivot to Active Directory or LDAP to extract or manipulate credentials, then use internal application access for lateral movement or privilege escalation.

The simultaneous KEV listing of CVE-2026-15409 and companion code injection CVE-2026-15410 with an identical three-day deadline strongly implies a chained exploitation pattern is being actively exploited.

Impact Assessment

  • Unauthenticated SSRF from the internet against a network gateway appliance
  • Reachability of any internal HTTP service accessible from the SMA1000 appliance
  • Active Directory / LDAP enumeration and potential credential extraction via internal service access
  • Internal network topology mapping without authentication
  • Chaining vector: SSRF used to obtain AMC credentials, then CVE-2026-15410 code injection achieves OS-level persistence on the appliance
  • Appliance-level access provides internal routing for lateral movement to enterprise network segments

Affected Versions

ProductAffectedFixedRelease Date
SonicWall SMA 6200Firmware prior to SNWLID-2026-0008 fixSNWLID-2026-0008 patched firmwareJuly 2026
SonicWall SMA 6210Firmware prior to SNWLID-2026-0008 fixSNWLID-2026-0008 patched firmwareJuly 2026
SonicWall SMA 7200Firmware prior to SNWLID-2026-0008 fixSNWLID-2026-0008 patched firmwareJuly 2026
SonicWall SMA 7210Firmware prior to SNWLID-2026-0008 fixSNWLID-2026-0008 patched firmwareJuly 2026
SonicWall SMA 8000vFirmware prior to SNWLID-2026-0008 fixSNWLID-2026-0008 patched firmwareJuly 2026
SonicWall SMA 100 seriesNot affectedN/AN/A

Remediation Steps

  1. Apply the firmware update from SNWLID-2026-0008 immediately. The patch is available through the SonicWall customer portal (MySonicWall account). This single update addresses both CVE-2026-15409 and CVE-2026-15410.

  2. Restrict WorkPlace interface access to known VPN user IP ranges via SMA1000 access rules where operationally feasible. Internet-facing deployments with no network restriction should be taken offline until patching completes given confirmed active exploitation.

  3. Place a WAF or reverse proxy in front of the WorkPlace portal to filter requests to known-good URL patterns. This is a risk-reduction measure, not a fix.

  4. Review SMA1000 routing rules to limit which internal network segments are directly reachable from the appliance — minimize the internal attack surface accessible via SSRF.

  5. Enable SMA1000 logging and forward logs to a SIEM immediately to establish a detection baseline and identify any prior exploitation:

# On SMA1000: navigate to Log Settings in the AMC
# Enable: Web Access, Authentication, System events
# Forward to syslog/SIEM endpoint
  1. Isolate the AMC interface on a separate network segment from the WorkPlace-facing interface to prevent SSRF-to-AMC lateral movement (chained exploit with CVE-2026-15410).

Detection Guidance

SonicWall WorkPlace Log Analysis

The SMA1000 generates web access logs for all WorkPlace requests. Look for:

  • URL parameters containing RFC 1918 addresses (10.x.x.x, 172.16–31.x.x, 192.168.x.x) or internal hostnames
  • Requests from IP addresses with no prior authentication history that trigger outbound connections from the appliance
  • HTTP response patterns inconsistent with normal portal responses (unusually large responses, unexpected content types)

Network-Level Detection

# On internal LDAP/AD controllers: monitor for unexpected source IPs
# SMA1000 management IP initiating LDAP binds outside normal authentication windows
tcpdump -i eth0 'src host <SMA1000_IP> and (port 389 or port 636)'

SIEM Correlation

Correlate SMA1000 web access logs against internal server access logs to identify SSRF-sourced connections:

# Pseudocode for SSRF correlation
SOURCE: sma1000_access_logs
| WHERE request_contains_rfc1918_or_internal_hostname = true
| WHERE authenticated_session = false
| JOIN internal_server_logs ON source_ip = sma1000_management_ip
| WHERE timestamp_delta < 5 seconds
| ALERT priority=critical

Suricata Signature

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (
  msg:"SonicWall SMA1000 SSRF Probe — RFC1918 in URL Parameter";
  flow:established,to_server;
  http.uri;
  pcre:"/[?&][^=]+=https?:\/\/(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)/";
  threshold:type limit, track by_src, count 1, seconds 60;
  sid:9003001; rev:1;
)

Indicators of Compromise

  • WorkPlace access logs with URL parameters containing internal hostnames or IP addresses from unauthenticated sessions
  • Outbound connections from the SMA1000 to internal service ports (389, 636, 80, 443, 8080, etc.) without corresponding authentication events
  • Sequential SSRF probes to incrementing internal IP addresses (network reconnaissance pattern)

Timeline

DateEvent
2026-07-14SonicWall publishes SNWLID-2026-0008 covering CVE-2026-15409 and CVE-2026-15410
2026-07-14CISA adds CVE-2026-15409 to Known Exploited Vulnerabilities catalog
2026-07-14Patched firmware released via MySonicWall
2026-07-17CISA BOD 26-04 remediation deadline for federal agencies

References