CVE-2025-40602: SonicWall Secure Mobile Access (SMA) 1000 Zero-Day Exploited
A zero-day vulnerability in SonicWall’s Secure Mobile Access (SMA) 1000 was reportedly exploited in the wild in a chained attack with CVE-2025-23006.
CVE-2025-40602: SonicWall Secure Mobile Access (SMA) 1000 Zero-Day Exploited
A zero-day vulnerability in SonicWall’s Secure Mobile Access (SMA) 1000 was reportedly exploited in the wild in a chained attack with CVE-2025-23006.
Key takeaways:
CVE-2025-40602 is a local privilege escalation vulnerability in the appliance management console (AMC) of the SonicWall SMA 1000 appliance.
CVE-2025-40602 has been exploited in a chained attack with CVE-2025-23006, a deserialization of untrusted data vulnerability patched in January.
A list of Tenable plugins for this vulnerability can be found on the individual CVE pages for CVE-2025-40602 and CVE-2025-23006.
Background
On December 17, SonicWall published a security advisory (SNWLID-2025-0019) for a newly disclosed vulnerability in its Secure Mobile Access (SMA) 1000 product, a remote access solution.
CVE
Description
CVSSv3
CVE-2025-40602
SonicWall SMA 1000 Privilege Escalation Vulnerability
6.6
Analysis
CVE-2025-40602 is a local privilege escalation vulnerability in the appliance management console (AMC) of the SonicWall SMA 1000 appliance. An authenticated, remote attacker could exploit this vulnerability to escalate privileges on an affected device. While on its own, this flaw would require authentication in order to exploit, the advisory from SonicWall states that CVE-2025-40602 has been exploited in a chained attack with CVE-2025-23006, a deserialization of untrusted data vulnerability patched in January. The combination of these two vulnerabilities would allow an unauthenticated attacker to execute arbitrary code with root privileges.
According to SonicWall, “SonicWall Firewall products are not affected by this vulnerability.”
Historical exploitation of SonicWall vulnerabilities
SonicWall products have been a frequent target for attackers over the years. Specifically, the SMA product line has been targeted in the past by ransomware groups, as well as being featured in the Top Routinely Exploited Vulnerabilities list co-authored by multiple United States and International Agencies.
Earlier this year, an increase in ransomware activity tied to SonicWall Gen 7 Firewalls was observed. While initially it was believed that a new zero-day may have been the root cause, SonicWall later provided a statement noting that exploitation activity was in relation to CVE-2024-40766, an improper access control vulnerability which had been observed to have been exploited in the wild. More information on this can be found on our blog.
Given the past exploitation of SonicWall devices, we put together the following list of known SMA vulnerabilities that have been exploited in the wild:
CVE
Description
Tenable Blog Links
Year
CVE-2019-7481
SonicWall SMA100 SQL Injection Vulnerability
1
2019
CVE-2019-7483
SonicWall SMA100 Directory Traversal Vulnerability
–
2019
CVE-2021-20016
SonicWall SSLVPN SMA100 SQL Injection Vulnerability
1, 2, 3, 4, 5
2021
CVE-2021-20038
SonicWall SMA100 Stack-based Buffer Overflow Vulnerability
1, 2, 3
2021
CVE-2025-23006
SonicWall SMA 1000 Deserialization of Untrusted Data Vulnerability
1
2025
CVE-2024-40766
SonicWall SonicOS Improper Access Control Vulnerability
1
2025
Proof of concept
At the time this blog was published, no proof-of-concept (PoC) code had been published for CVE-2025-40602. If and when a public PoC exploit becomes available for CVE-2025-40602, we anticipate a variety of attackers will attempt to leverage this flaw as part of their attacks.
Solution
SonicWall has released patches to address this vulnerability as outlined in the table below:
Affected Version
Fixed Version
12.4.3-03093 and earlier
12.4.3-03245
12.5.0-02002 and earlier
12.5.0-02283
The advisory also provides a workaround to reduce potential impact. This involves restricting access to the AMC to trusted sources. We recommend reviewing the advisory for the most up to date information on patches and workaround steps.
Identifying affected systems
A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2025-40602 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline. In addition, product coverage for CVE-2025-23006 can be found here.
Tenable Attack Surface Management customers are able to identify these assets using a filtered search for SonicWall devices:
Get more information
Join on Tenable Connect and engage with us in the for further discussions on the latest cyber threats.
Learn more about , the Exposure Management Platform for the modern attack surface.
*** This is a Security Bloggers Network syndicated blog from Tenable Blog authored by Scott Caveza. Read the original post at: https://www.tenable.com/blog/cve-2025-40602-sonicwall-secure-mobile-access-sma-1000-zero-day-exploited
About Author
