If you use a SonicWall SMA 1000 series appliance for remote access, stop scrolling. Attackers are actively exploiting two zero-day vulnerabilities right now, and the headline number (CVSS 10.0) is not even the scariest part. They are grabbing your TOTP MFA seeds before you know they are in the door.
Two flaws, one chain: how attackers get in
On July 14, SonicWall released an emergency advisory for two flaws in the SMA 1000 series. CVE-2026-15409 is a critical unauthenticated SSRF bug in the Workplace interface. Perfect 10.0 on the CVSS scale. CVE-2026-15410 is a post-authentication code injection flaw at CVSS 7.2. Alone, each is bad news. Chained together, they give attackers full appliance compromise starting from absolutely nothing.
Rapid7's MDR team spotted exploitation in customer logs dating back to July 9, days before the advisory went public. Attackers were observed pulling credentials, session data, and TOTP MFA seeds, then pivoting into internal networks. The MFA bypass is what makes this one different. Even if you are doing everything right with 2FA, this attack does not care.
Why this hits SMBs hardest
The SMA 1000 series (models 6210, 7210, 8200v) is everywhere in smaller IT environments. It is the appliance you bought for VPN remote access, the one your team logs into every morning. If you have one, attackers are likely already scanning for it.
CISA added both flaws to its Known Exploited Vulnerabilities catalog within 48 hours. Federal agencies had until today, July 17, to patch. If the US government treats this as a drop-everything emergency, your business should too.
What to do right now
Hotfix builds 12.4.3-03453 and 12.5.0-02835 are available from the SonicWall support portal. Here is your checklist:
- Update immediately. Apply the hotfix now. Do not wait for your next maintenance window.
- Rotate all credentials that passed through the SMA 1000. Sessions, service accounts, VPN credentials, everything.
- Reset MFA tokens. Assume TOTP seeds are compromised. Re-enroll all users with fresh seeds.
- Check for persistence. Review SMA 1000 logs for unusual admin sessions or config changes from early July onward.
- Audit for lateral movement. If the appliance was compromised, treat your internal network as potentially breached. Look for anomalous outbound connections or new admin accounts.
This is not a drill. A CVSS 10.0, no-authentication-required bug that bypasses MFA and is already being exploited in the wild is about as urgent as it gets.
If you are not sure your team has the bandwidth to handle this right now, or you want a second pair of eyes on your SMA 1000 logs, we can help.
Book a 30-minute emergency response call
No commitment, no sales pitch. Just a quick assessment of where you stand.