Here is the article:
CVE-2026-15410: SonicWall SMA1000 Code Injection Under Active Exploitation
CISA has added CVE-2026-15410, a post-authentication code injection flaw in SonicWall SMA1000 appliances, to its Known Exploited Vulnerabilities catalog with a three-day remediation deadline.
What Is It
CVE-2026-15410 is a code injection vulnerability (CWE-94) in the SonicWall SMA1000 Appliance Management Console (AMC). Under specific conditions, it could potentially enable a remote authenticated attacker operating as administrator to execute arbitrary OS commands. It carries a CVSS 3.1 base score of 7.2 (HIGH), with the vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, network-reachable, low attack complexity, but requiring high privileges and no user interaction.
Why It Matters
CISA's KEV listing confirms this vulnerability is under active exploitation, and CISA's SSVC assessment marks exploitation status as "active" with a "total" technical impact. Because the flaw grants arbitrary OS command execution at the administrator level, successful abuse yields high impact to confidentiality, integrity, and availability of the affected appliance. Note that exploitation is assessed as not automatable, and the attacker must first be authenticated as an administrator.
What's Vulnerable
The affected product is the SonicWall SMA1000 appliance (Linux platform). Per the NVD record, the following version ranges are affected:
- 12.4.3-03245 through 12.4.3-03434
- 12.5.0-02283 through 12.5.0-02800
The vulnerability resides in the Appliance Management Console (AMC).
Patch Status
CISA added CVE-2026-15410 to the KEV catalog on 2026-07-14, with a required-action due date of 2026-07-17. The required action is to apply mitigations in accordance with vendor instructions, ensuring compliance with CISA's BOD 26-04 guidance and CISA's "Forensics Triage Requirements." For cloud services, follow applicable BOD 26-04 guidance, or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure. Known ransomware campaign use is listed as Unknown.