SonicWall customers are facing a new cybersecurity threat as attackers have begun exploiting two zero-day vulnerabilities confirmed by the vendor. The vulnerabilities, identified as CVE-2026-15409 and CVE-2026-15410, were publicly disclosed by SonicWall on Tuesday. While an employee is credited with discovering the defects, the company has not specified when the discovery occurred or the earliest known instance of exploitation.
Rapid7 researchers informed CyberScoop that exploitation of both vulnerabilities first began on June 22. Seth Lazarus, senior manager of detection and response services at Rapid7, stated, “From the cases that our team has observed, the goal is likely ransomware, though we have prevented the actors from achieving exfiltration and encryption.” He further noted that overlapping tactics, techniques, and procedures observed in these attacks suggest the same threat group or attacker discovered and exploited these zero-days.
Ongoing Exploitation of SonicWall Zero-Day Vulnerabilities
SonicWall has not provided details on the impacts of these attacks to date, nor has it attributed them to any specific known threat group or described the attackers’ origins and motivations. However, the vendor confirmed to CyberScoop that both vulnerabilities have been chained together for exploitation.
These vulnerabilities affect SonicWall SMA1000 appliances. One is described as a critical-severity defect that enables attackers to make authenticated requests, while the other is a 7.2-rated vulnerability that allows for authenticated command injection.
Chained Exploitation Leads to System Compromise
“When these two are chained, an attacker can go from zero access to a complete system compromise for the affected appliance,” explained Landon Rice, senior exploit developer at VulnCheck. Ben Harris, founder and CEO at watchTowr, highlighted two concerning aspects of these vulnerabilities: “Both were exploited as zero-days before fixes were available, and together they offer a plausible path to remote-code execution from the internet.”
The Cybersecurity and Infrastructure Security Agency (CISA) added both zero-day vulnerabilities to its known exploited vulnerabilities catalog on Tuesday. This inclusion signals that the vulnerabilities are actively being used by attackers and pose a significant risk to organizations.
SonicWall has advised its customers to immediately patch the vulnerabilities by upgrading to the latest software version, which the company released concurrently with its disclosure. Additionally, SonicWall shared indicators of compromise (IOCs) to assist customers in identifying potential malicious activity on their systems.
Bret Fitzgerald, senior director of global communications at SonicWall, emphasized the company’s swift response. “Speed of response was a priority for us,” Fitzgerald said. “Within days of becoming aware of the issue, our team had developed a script that we can run on behalf of affected customers to assist with resolution, and mitigation efforts are already underway.”
Impact and Mitigation Efforts
Neither SonicWall nor third-party researchers have disclosed the exact number of SonicWall customers affected by these exploited vulnerabilities. However, the vendor did confirm that it has investigated multiple instances of active exploitation.
Fitzgerald stated that SonicWall monitors approximately one million sensors globally, and “SMA1000 appliances represent a very small subset of that footprint, less than 5,000 units.” Despite the relatively small number of affected appliances, the severity of the chained vulnerabilities is a significant concern.
SonicWall also indicated that its support staff are actively assisting customers experiencing suspicious activity. The company warned that simply patching the vulnerabilities may not be sufficient to fully remediate potential compromises.
This latest incident adds to a history of actively exploited zero-days and previously disclosed vulnerabilities affecting SonicWall devices. In 2025, a state-sponsored threat actor reportedly compromised SonicWall’s cloud environment, stealing firewall configurations from all its customers.
According to CISA, seventeen vulnerabilities affecting SonicWall products have been added to its catalog of known exploited vulnerabilities since late 2021. Of these, ten are known to have been used in ransomware campaigns, including a notable series of approximately 40 Akira ransomware attacks between mid-July and early August.
In light of these ongoing threats, Harris advised, “As always, when something is confirmed as already exploited in the wild, patching is the bare minimum, and breach should be assumed.” Organizations are urged to apply the latest patches and to proactively hunt for signs of compromise beyond standard vulnerability management.

