SonicWall disclosed active exploitation of two zero-day vulnerabilities affecting Secure Mobile Access (SMA) 1000 series appliances. One flaw poses severe risk to organisations relying on these remote access devices.

CVE-2026-15409 carries a CVSS score of 10.0, the highest severity rating. The vulnerability stems from a server-side request forgery (SSRF) flaw that remote unauthenticated attackers can exploit without credentials. This attack vector creates significant exposure for organisations, as threat actors need no prior access to the SMA 1000 device to trigger the vulnerability.

The second zero-day remains undisclosed in available details, but SonicWall confirmed both flaws face active exploitation in the wild. The SMA 1000 series functions as a critical gateway for remote workforce access, making these vulnerabilities particularly dangerous. Compromised appliances could grant attackers control over secure network access points, potentially exposing internal systems and sensitive data to threat actors.

SSRF vulnerabilities enable attackers to force vulnerable servers to make requests to internal systems or external targets they specify. In this case, the flaw allows unauthenticated access, eliminating a fundamental security barrier. Combined with the potential for arbitrary command execution mentioned in CVE-2026-15409, attackers could escalate from reconnaissance to direct system compromise.

Organisations operating SMA 1000 appliances should immediately verify whether they run vulnerable firmware versions and apply patches as SonicWall releases them. The unauthenticated nature of the exploit means internet-facing SMA 1000 devices face immediate risk. Network monitoring for suspicious outbound requests from these appliances provides interim detection capability.

SonicWall did not immediately provide a timeline for patches at the time of disclosure. Given the active exploitation and perfect