SonicWall has released patches to address a critical security vulnerability impacting its Secure Mobile Access (SMA) 100 series appliances. The flaw, identified as CVE-2025-40602, has reportedly been actively exploited in the wild, posing an immediate risk to organizations relying on these devices for secure remote access. The company urges customers to apply these updates promptly to mitigate potential threats.
The vulnerability involves a local privilege escalation, stemming from insufficient authorization within the appliance management console (AMC). This could allow an attacker with initial access to gain higher levels of control over the affected systems. SonicWall’s advisory highlights that this weakness has been weaponized in conjunction with another vulnerability, CVE-2025-23006, enabling unauthenticated remote code execution with root privileges.
SonicWall SMA 100 Series Vulnerability Addressed
The newly patched SonicWall SMA 100 series vulnerability, CVE-2025-40602, carries a CVSS score of 6.6, classifying it as a moderate-to-high severity issue. This flaw specifically targets the authorization mechanisms within the AMC, an interface used for managing the SMA appliances. Exploiting this would grant an attacker elevated privileges, moving them closer to complete system compromise.
SonicWall has provided specific version information for affected appliances:
- 12.4.3-03093 (platform-hotfix) and earlier versions are now fixed in 12.4.3-03245 (platform-hotfix).
- 12.5.0-02002 (platform-hotfix) and earlier versions are now fixed in 12.5.0-02283 (platform-hotfix).
The company’s disclosure emphasized that CVE-2025-40602 has been chained with CVE-2025-23006, a previously patched high-severity vulnerability (CVSS score 9.8). The combination of these two exploits allows attackers to bypass authentication and execute arbitrary code with root privileges remotely. This sophisticated attack chain underscores the importance of maintaining up-to-date firmware on network security devices.
Active Exploitation and Threat Landscape
The fact that CVE-2025-40602 is being actively exploited in the wild is a significant concern for network security professionals. While SonicWall has not disclosed the scale or specific actors behind these attacks, the active exploitation suggests persistent threats targeting these devices. The reported combination with CVE-2025-23006, which SonicWall patched in late January 2025, indicates that some organizations may not have fully remediated earlier vulnerabilities, leaving them susceptible to these more advanced attack vectors.
The discovery and reporting of this vulnerability are credited to Clément Lecigne and Zander Work of Google Threat Intelligence Group (GTIG). Their findings highlight the ongoing efforts by cybersecurity researchers to identify and disclose potential weaknesses in widely used network infrastructure. GTIG has been tracking a threat cluster, designated UNC6148, which has been observed targeting end-of-life SonicWall SMA 100 series devices to deploy a backdoor known as OVERSTEP. It remains unclear at this time whether the current exploitation of CVE-2025-40602 is directly linked to the UNC6148 campaign.
Mitigation and Future Outlook
Given the active exploitation of this network security vulnerability, SonicWall is strongly advising all users of its SMA 100 series appliances to deploy the provided hotfixes as a matter of urgency. Failing to do so leaves organizations exposed to potential data breaches, system compromise, and disruption of services. Organizations should consult SonicWall’s official security advisories for the most accurate and up-to-date patching instructions.
The continuous discovery of actively exploited vulnerabilities in widely deployed network appliances like the SonicWall SMA 100 series emphasizes the importance of a proactive security posture. This includes not only regular patching but also comprehensive asset management to identify and address end-of-life devices that may no longer receive security updates. The cybersecurity community will be closely watching for further intelligence regarding the actors behind these attacks and their ultimate objectives. Organizations should remain vigilant and prepared to respond to evolving threat landscapes.