The update installed cleanly. That was the easy part.
Picture the maintenance window that closed last night. The SMA1000 came back up on a fixed build, the change ticket went green, and somebody wrote "patched" in the incident channel. If an attacker reached that appliance in the days before, none of that undid what already left the building.
What actually left: credentials, active session databases, and TOTP MFA seeds. The seeds are the part that outlives the fix. A TOTP seed is the shared secret your authenticator app and your appliance both hold, and whoever copies it can generate valid six-digit codes indefinitely. Installing a new firmware build does not invalidate a secret that was already read.
That single property is why the German Federal Office for Information Security, the BSI, did not simply tell operators to update. It told them to presume they were breached.
Two CVEs, one chain, and a rating that misleads
The danger is not either flaw alone. It is the sequence.
CVE-2026-15409 is a server-side request forgery, CWE-918, reachable without authentication through /wsproxy on port 443. It carries a CVSS 10.0 with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. Two qualifications matter. It is SSRF, not remote code execution. And that 10.0 is SonicWall's own score in its role as CNA, recorded as Secondary. The NVD has published no primary score of its own.
CVE-2026-15410 is rated CVSS 7.2 HIGH, CWE-94, a path traversal in the remove_hotfix workflow that escalates to root. Its rating says post-authentication, administrator required.
Yes, but: that requirement is exactly what CVE-2026-15409 supplies. The SSRF opens a websocket tunnel to services that only listen on localhost, and CVE-2026-15410 then takes it to root. The two are exploited in tandem, so the reassuring half of 15410's score describes a barrier the first flaw has already removed.
Affected models are the SMA1000 6210, 7210 and 8200v on versions 12.4.3-03245, -03387 and -03434, and 12.5.0-02283, -02624 and -02800. Fixed builds are 12.4.3-03453 or later and 12.5.0-02835 or later. There are no workarounds. SonicWall firewall SSL-VPN and the SMA100 series are not affected.
A public exploit widened the field on 15 July
Rapid7's MDR team found this before SonicWall disclosed it. SonicWall's own advisory credits nobody.
A public proof-of-concept now exists: the GitHub repository remmons-r7/rapid7-CVE-2026-15409, created on 15 July, achieving unauthenticated remote code execution via Erlang on localhost:1050 using a hardcoded cookie. A Metasploit module is in development. The BSI explicitly warns that this widens the pool of attackers.
One caution on the evidence. The 9 July timestamps in Rapid7's writeup are the team's own lab output from a private IP during exploit development, not proof of in-the-wild activity on that date. Rapid7 says only that its discovery came prior to SonicWall's official vulnerability disclosure. No primary source gives any start date for exploitation, and no credible figure exists for how many devices are exposed in Europe or anywhere else.
The BSI instruction: prove you are clean
Germany's BSI issued its warning on 15 July as version 1.0 and updated it to version 1.1 on 16 July, document number BITS-H Nr. 2026-271845-1132. It is rated "Kritikalität: 3 / Orange" and marked TLP:CLEAR, so it can be circulated freely.
The BSI states that measures "müssen unverzüglich ergriffen werden", must be taken immediately. Its sharpest instruction is the one worth reading twice: "Assume Breach". Operators must presume compromise unless they can disprove it against the published indicators of compromise. The BSI is explicit that patching alone is insufficient and requires forensics, rebuild, credential rotation and 2FA token reset.
The BSI also points back to IT-Grundschutz NET.3.2: management interfaces must never be exposed to the internet. That is the structural lesson under the incident, and it will still be true after this CVE pair is forgotten.
Why the seed theft changes the shape of the work: with credentials, live sessions and MFA seeds in hand, an attacker moves laterally through Active Directory without needing the VPN at all. The appliance stops being the target and becomes the doorway.
Today's deadline belongs to somebody else
Both CVEs were added to the CISA Known Exploited Vulnerabilities catalog on 14 July, each with a due date of 17 July, which is today. The feed's catalogVersion is 2026.07.16.
Our analysis, and we label it as ours: that date binds US federal agencies under BOD 26-04. It has no legal force in the EU or the UK. A European operator reading the KEV entry as a compliance clock is reading somebody else's calendar.
The instruction that actually applies here is the German one, and it is the stricter of the two. A due date asks you to install something by Friday. "Assume Breach" asks you to prove you are clean, and proof is a higher bar than a completed change ticket. The organisations that will still be dealing with this in September are the ones that patched on time and never looked at what the seeds were used for in the meantime.
Read next: This ColdFusion Flaw Was Attacked Within Minutes | A Forged Token Opens Every PC The Tool Manages



