CISA has added CVE‑2026-15410 to its Known Exploited Vulnerabilities catalogue, affecting SonicWall’s SMA1000 Appliances. The vulnerability is a code injection flaw that, under specific conditions, allows a remote authenticated attacker with administrator privileges to execute arbitrary operating‑system commands on the device.
The issue is classified as a code injection vulnerability, enabling an attacker who already possesses valid admin credentials to run arbitrary commands on the underlying OS. The Common Vulnerability Scoring System assigns it a score of 0.0, reflecting the limited exploitability noted in the available data. No patch or advisory is currently listed, and the patch status is recorded as unknown.
Active exploitation has been confirmed, which is the basis for the KEV inclusion. There is no publicly known link to ransomware campaigns at this time. CISA has set a remediation deadline of 17 July 2026 for affected federal agencies to address the vulnerability.
CISA’s required remediation action is to apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26‑04 Prioritizing Security Updates Based on Risk guidance and CISA’s “Forensics Triage Requirements”. Follow applicable BOD 26‑04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders must evaluate each asset's internet exposure and adhere to BOD 26‑04 patching guidelines.
While the directive binds Federal Civilian Executive Branch agencies, all organisations should review their exposure to SonicWall SMA1000 appliances and consider applying any available mitigations.
For full details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-15410 and the CISA KEV catalogue.