← All Briefings
Briefings


SonicWall confirmed two zero-days in its SMA1000 series, CVE-2026-15409 and CVE-2026-15410, already under active exploitation before the patch shipped. The advisory language is the standard vendor sequence: warn, patch, urge. What it does not say is how long the exploitation window ran before SonicWall's own telemetry caught it, and SMA1000 appliances sit at the network edge precisely so that gap matters more than the CVE score.

The pattern on this desk is now familiar enough to name: edge-appliance vendors disclosing zero-days only after in-the-wild exploitation is confirmed, not after internal discovery. That is the same sequence Progress Software ran with ShareFile Storage Zone Controller, confirmed this week as a zero-day behind its July 9 emergency shutdown, three months after watchTowr had already published the exposure. The control that would have mattered here is not the patch SonicWall released today. It is asset inventory that flags internet-facing SMA1000 instances before an advisory forces the count, the same inventory gap that left 700 unpatched ShareFile servers sitting on Shodan in April.

Weak. The piece names the pattern, edge vendors disclosing only after exploitation is confirmed, but then makes its case with two different vendors and two different failure modes, SonicWall's telemetry lag and Progress's three-month gap after public disclosure. Pick one failure mode and hold the desk to it, or the pattern is asserted rather than shown.-- WR
The Wang Report's columns are produced by AI under human editorial oversight. See our Editorial Standards.