All incidents

CISA adds SonicWall SMA1000 SSRF vulnerability (CVE-2026-15409) to KEV catalog

vulnerabilityopenJul 14, 2026 — Jul 14, 2026

CISA has added CVE-2026-15409 to its Known Exploited Vulnerabilities catalogue, confirming that a critical server-side request forgery flaw in SonicWall SMA1000 appliances is under active attack. The entry can be reviewed via the CISA KEV entry here and further details are available in the vendor advisory here.

The vulnerability carries a CVSS base score of 10.0, reflecting a critical rating, and resides in the SMA1000’s web management interface. Insufficient validation of user‑supplied URL parameters allows an unauthenticated remote attacker to craft a request that triggers the appliance to make arbitrary HTTP calls to internal or external hosts.

Successful exploitation enables the device to act as a pivot, allowing the attacker to scan internal networks, reach services that are normally inaccessible from the internet, and potentially retrieve sensitive information such as configuration files or authentication tokens. Because the request originates from the trusted appliance, many network‑based detections may fail to flag the activity as malicious.

The appearance of CVE-2026-15409 in the KEV catalogue signals that CISA has observed this SSRF weakness being used in the wild, although no specific threat actor has been publicly linked to the activity. This inclusion highlights the continued interest of adversaries in targeting edge‑VPN appliances as a means to gain a foothold inside protected environments.

Server-side request forgery flaws have become a favoured tool in multi‑stage attacks because they let an attacker bypass perimeter controls and use a trusted device as a launchpad for further intrusion. When such a vulnerability exists in a widely deployed secure access gateway, the potential impact expands across any organisation that relies on the appliance for remote user connectivity, making timely identification and remediation essential.

Defenders should begin by consulting the SonicWall PSIRT advisory for any temporary mitigations or work‑arounds that may be supplied, and they should immediately limit access to the SMA1000 web interface to known‑trusted IP addresses or VLANs. Monitoring outbound HTTP traffic from the appliance for unexpected destinations can help spot exploitation attempts, and applying the vendor’s patch as soon as it is released remains the highest priority.

In the interim, organisations should enforce network segmentation so that the management interface cannot reach critical internal assets, consider deploying a reverse proxy or web‑application firewall that sanitises URL inputs before they reach the appliance, and ensure that multi‑factor authentication is required for any administrative login. Regular review of appliance logs for anomalous outbound requests, combined with alerts on new outbound connections, will improve the chances of detecting abuse early.

The flaw was first reported to SonicWall in mid-July 2026 and was subsequently assigned CVE‑2026‑15409; the vendor’s PSIRT page acknowledges the issue but states that no official patch or advisory has been published at this time. Administrators are encouraged to subscribe to SonicWall’s security notifications, to treat any public proof‑of‑concept code as a possible precursor to wider exploitation, and to follow CISA’s guidance to remediate KEV‑listed vulnerabilities within the prescribed window.

Intelligence briefing updated Jul 14, 2026

CVE-2026-15409 10.0 KEV
Root sourcepsirt.global.sonicwall.com
Timeline Coverage

Swipe to explore timeline