[KEV] CVE-2026-15410 -- CVSS 0.0 Vulnerability Briefing
[KEV] CVE-2026-15410 | CVSS 0.0 (Low) | Exploit: Operational
What Is It
CVE-2026-15410 is a code injection vulnerability in SonicWall SMA1000 Appliances that allows a remote authenticated administrator to execute arbitrary operating system commands under specific conditions.
Technical Detail
The flaw exists in the SonicWall SMA1000 platform and is triggered when an attacker with authenticated administrator-level access submits crafted input that is improperly sanitized before being passed to the underlying OS. Successful exploitation results in arbitrary OS command execution, effectively granting the attacker full control over the appliance at the operating system level. Because the SMA1000 series functions as a secure remote access gateway, OS-level compromise of these devices can expose internal network segments and connected resources to further attack.
Exploitation Status
CISA has confirmed active exploitation in the wild, with this vulnerability added to the Known Exploited Vulnerabilities catalog on July 14, 2026. The exploit maturity is rated Operational, meaning a functional exploit capable of reliable use in real-world attack scenarios exists and is being actively leveraged. This is not limited to proof-of-concept demonstrations.
Who Is Targeting This
No specific threat actor attribution at this time. Neither confirmed nor reported threat actor associations have been established for this CVE in the available data. Organizations should treat active exploitation as opportunistic or targeted given the nature of the affected platform until attribution is established.
What To Do
Per CISA's Known Exploited Vulnerabilities binding directive (BOD 22-01), federal agencies are required to apply patches or mitigations by the deadline associated with the July 14, 2026 KEV listing. All organizations operating SonicWall SMA1000 Appliances should apply the vendor-issued patch immediately and treat this as a priority remediation given confirmed active exploitation. If patching cannot be completed immediately, restrict administrative access to the SMA1000 management interface to trusted IP ranges only and enforce multi-factor authentication on all administrator accounts to reduce the attack surface. Review appliance logs for anomalous command execution activity or unexpected administrative sessions, particularly from unfamiliar source addresses. Contact SonicWall support directly for the latest patched firmware version applicable to your SMA1000 deployment.