Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Flaw in EU Age Verification App Lets Attackers Bypass Checks
July 15, 2026
Critical SonicWall Firewall CVE-2021-20021, CVE-2021-20022 Zero-Days Actively Exploited
July 15, 2026
Chinese Hackers Use Claude, DeepSeek AI in Government Cyberattacks
July 15, 2026
Home/CyberSecurity News/Critical SonicWall Firewall CVE-2021-20021, CVE-2021-20022 Zero-Days Actively Exploited
CyberSecurity News

Critical SonicWall Firewall CVE-2021-20021, CVE-2021-20022 Zero-Days Actively Exploited

Key Takeaways SonicWall has issued an urgent advisory for two zero-day vulnerabilities, CVE-2026-15409 and CVE-2026-15410, actively exploited in the wild. The flaws affect specific versions of...

Jennifer sherman
Jennifer sherman
July 15, 2026 3 Min Read
2 0

Key Takeaways

  • SonicWall has issued an urgent advisory for two zero-day vulnerabilities, CVE-2026-15409 and CVE-2026-15410, actively exploited in the wild.
  • The flaws affect specific versions of SonicWall SMA1000 Series appliances, particularly models 6210, 7210, and 8200 running platform-hotfix releases 12.4.3 and 12.5.0.
  • CVE-2026-15409 is a critical unauthenticated server-side request forgery (SSRF) with a CVSS score of 10.0, while CVE-2026-15410 is a post-authentication code injection with a CVSS score of 7.2.
  • Patches are available, and immediate application of hotfixes 12.4.3-0345 or 12.5.0-0283 (or later) is strongly recommended.

SonicWall has released a critical security advisory warning customers about two zero-day vulnerabilities actively being exploited in the wild. These flaws impact specific versions of the company’s SMA1000 Series appliances and pose a significant risk to affected organizations.

Table Of Content

  • Key Takeaways
  • Critical SonicWall Firewall Zero-Day Vulnerabilities
  • What You Should Do

The most severe of the two, identified as CVE-2026-15409, carries a maximum CVSS score of 10.0. This vulnerability allows for remote exploitation without requiring any authentication, making it particularly dangerous.

The vulnerabilities specifically target SonicWall SMA1000 models 6210, 7210, and 8200. Affected devices are those running certain platform-hotfix releases, namely 12.4.3 and 12.5.0.

Critical SonicWall Firewall Zero-Day Vulnerabilities

SonicWall has clarified that its SSL-VPN services on firewall products and the SMA 100 Series appliance line are not affected by these issues. CVE-2026-15409 is a server-side request forgery (SSRF) vulnerability present in the SMA1000 Workplace interface.

This critical flaw enables an unauthenticated remote attacker to compel a vulnerable appliance to send requests to arbitrary internal or external network locations. Such SSRF vulnerabilities can grant attackers access to services typically isolated from the internet, facilitate internal network reconnaissance, or serve as a stepping stone for further system compromise.

The second vulnerability, CVE-2026-15410, is a post-authentication code injection flaw found within the SMA1000 Appliance Management Console. This issue has a CVSS score of 7.2.

Under specific circumstances, an attacker with authenticated administrator access could leverage this vulnerability to execute arbitrary operating system commands on the appliance. While requiring prior authentication, a successful exploit could lead to full control over the compromised system if an attacker manages to obtain valid credentials or hijack an administrative session.

The SonicWall Product Security Incident Response Team (PSIRT) has confirmed active exploitation of both vulnerabilities through multiple incident investigations. While specific details regarding the threat actors or attack methodologies have not been publicly disclosed, SonicWall is strongly urging immediate patching due to the absence of any available workarounds.

Organizations utilizing affected SMA1000 appliances must upgrade to platform-hotfix version 12.4.3-0345 or later for the 12.4.3 branch, or version 12.5.0-0283 or later for the 12.5.0 branch. These hotfixes are accessible via the MySonicWall customer portal.

Administrators should also conduct thorough reviews of appliance logs and configuration files for potential signs of compromise. SonicWall identified suspicious HTTP 200 responses for requests to /api/login or /api/logout in extraweb_access.log as potential indicators of compromise.

Other warning signs include HTTP 101 responses for requests to /wsproxy with suspicious host parameters, as well as hotfix rollback entries exhibiting path traversal-like names within ctrl-service.log. Furthermore, administrators should inspect /var/lib/unit/conf.json for any routes involving /api/login or /api/logout, as these paths are not part of legitimate SMA1000 configurations.

SonicWall credited PSIRT researcher Adam Babis for reporting these vulnerabilities. The company also extended its gratitude to Sean Koessel and Steven Adair of Volexity for their assistance in the investigation and their contributions to identifying an additional indicator of compromise.

What You Should Do

  • Immediately apply the required hotfixes: upgrade SMA1000 appliances to platform-hotfix version 12.4.3-0345 (or later) for the 12.4.3 branch, or 12.5.0-0283 (or later) for the 12.5.0 branch.
  • Thoroughly review appliance logs (extraweb_access.log, ctrl-service.log) and configuration files (/var/lib/unit/conf.json) for any indicators of compromise as outlined in the advisory.
  • If any evidence of compromise is detected, re-image affected hardware appliances or redeploy virtual appliances.
  • Reset all user and administrator passwords, and reset time-based one-time password (TOTP) tokens to invalidate any potentially stolen authentication credentials.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitSecurityThreatVulnerabilityzero-day

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Chinese Hackers Use Claude, DeepSeek AI in Government Cyberattacks

Next Post

Critical Flaw in EU Age Verification App Lets Attackers Bypass Checks

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Microsoft Active Directory Zero-Day Actively Exploited
July 15, 2026
Critical BitLocker Vulnerability Lets Attackers Bypass Windows Security
July 15, 2026
Notepad++ Vulnerabilities Enable PowerShell Command Injection
July 15, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us