You are currently viewing SonicWall Disclosure: Active Attacks Target SMA 100, CVE-2025-40602 Patched

SonicWall Disclosure: Active Attacks Target SMA 100, CVE-2025-40602 Patched

  • Post author:
  • Reading time:3 mins read

SonicWall has released security updates to remediate an actively exploited local privilege escalation vulnerability, tracked as CVE-2025-40602, affecting Secure Mobile Access (SMA) 100 series appliances. The flaw exists in the Appliance Management Console (AMC) and has been confirmed to be exploited in the wild, increasing the urgency for organizations to apply patches.

Technical Root Cause

CVE-2025-40602 is caused by insufficient authorization checks within the SMA1000 Appliance Management Console. Due to improper privilege validation, a locally authenticated user can perform actions beyond their intended permissions, ultimately escalating to higher-level access.

This weakness reflects a broader class of authorization flaws where management interfaces fail to adequately enforce role-based access controls, making administrative components a high-value target.

Vulnerability Details

  • CVE Id: CVE-2025-40602
  • Vulnerability:  Local privilege escalation vulnerability
  • CVSS Score: 6.6 (Medium)
  • EPSS Score: 1.71%

Affected Products

The vulnerability impacts the following SonicWall products:

  • SonicWall SMA 100 series appliances
  • SMA1000 Appliance Management Console (AMC)
    • Versions 12.4.3-03093 (platform-hotfix) and earlier
    • Versions 12.5.0-02002 (platform-hotfix) and earlier

SonicWall has confirmed that firewall products are not affected, limiting the exposure to SMA appliances used primarily for secure remote access and VPN services.

Impact

On its own, CVE-2025-40602 enables local privilege escalation, allowing attackers to gain elevated permissions on the appliance. However, the risk significantly increases when it is chained with CVE-2025-23006, a pre-authentication deserialization vulnerability.

When exploited together, these flaws allow attackers to achieve unauthenticated remote code execution with root privileges, resulting in full device compromise. Given that SMA appliances often sit at the network perimeter and provide VPN access, successful exploitation could lead to:

  • Credential harvesting
  • Network pivoting and lateral movement
  • Persistent backdoor deployment
  • Long-term access to corporate environments

Tactics and Techniques

Observed exploitation aligns with the following MITRE ATT&CK techniques:

  • TA0001 – Initial Access: Gaining entry through exposed or vulnerable management services
  • TA0002 – Execution: Running malicious code on the appliance
  • TA0004 – Privilege Escalation: Elevating access to root-level privileges
  • T1068 – Exploitation for Privilege Escalation
  • T1203 – Exploitation for Client Execution

Threat actors have been observed chaining vulnerabilities to bypass authentication controls and execute payloads directly on the appliance.

Mitigation and Remediation Guidance

SonicWall’s PSIRT strongly recommends immediate upgrades to the following versions:

  • 12.4.3-03245 (platform-hotfix) or later for the 12.4.3 train
  • 12.5.0-02283 (platform-hotfix) or later for the 12.5.0 train

To fully mitigate chained exploitation, organizations must also ensure CVE-2025-23006 is patched by upgrading to:

  • 12.4.3-02854 (platform-hotfix) or later

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.