SonicWall Zero-Day Exploit Patched (CVE-2025-40602)
▼ Summary
– SonicWall has patched a local privilege escalation flaw (CVE-2025-40602) in its SMA 1000 appliances and urges customers to apply the hotfix due to active exploitation.
– This new vulnerability was chained with a previously patched flaw (CVE-2025-23006) to achieve unauthenticated remote code execution with root privileges.
– CVE-2025-23006, a deserialization vulnerability patched in January 2025, allowed unauthenticated attackers to execute arbitrary OS commands on the management consoles.
– Organizations are advised to upgrade to specific fixed versions and restrict management console access to protect against these and future vulnerabilities.
– If the appliance is already patched for CVE-2025-23006, the exploit chain is broken, but the new CVE-2025-40602 still requires its own security update.
SonicWall has released a critical security update to address a newly discovered local privilege escalation flaw, identified as CVE-2025-40602, impacting its Secure Mobile Access (SMA) 1000 series appliances. The company has confirmed that this vulnerability has already been exploited by attackers in the wild. Organizations using these devices are urged to apply the provided hotfix immediately to prevent potential system compromise.
The security issue becomes particularly dangerous when combined with a previously patched vulnerability, CVE-2025-23006. This earlier flaw, a deserialization weakness in the appliance management consoles, was actively exploited as a zero-day before SonicWall remediated it in January 2025. When chained together, these two vulnerabilities enable a severe attack path. An unauthenticated attacker could first leverage CVE-2025-23006 to execute arbitrary operating system commands and then use CVE-2025-40602 to escalate those privileges to the highest possible level, gaining complete “root” control over the affected appliance.
SonicWall’s Secure Mobile Access 1000 gateways are widely deployed in large, distributed enterprise environments to provide employees with secure remote access to internal applications and resources. The newly disclosed vulnerability resides within the Appliance Management Console (AMC) and stems from insufficient authorization checks. Researchers from the Google Threat Intelligence Group, Clément Lecigne and Zander Work, reported the flaw to SonicWall, though specific details about the ongoing attacks have not been made public.
To secure their systems, administrators must upgrade their SMA 1000 appliances to a patched firmware version. The fixed releases are 12.4.3-03245 (platform-hotfix) or higher, and 12.5.0-02283 (platform-hotfix) or higher. Applying these updates is the primary and most effective defense.
In addition to patching, SonicWall recommends implementing supplementary network security measures. These include restricting AMC access to specific administrative IP addresses and disabling the SSL VPN management interface and SSH access from the public internet. These steps help minimize the attack surface and protect the management console from exploitation, not only for these specific vulnerabilities but for future ones as well.
It is important to note that patching the earlier CVE-2025-23006 vulnerability disrupts the most straightforward exploit chain. If an appliance is already running version 12.4.3-02854 or later, an attacker would need to first compromise a local user account to then exploit CVE-2025-40602. However, this does not eliminate the new threat. The separate hotfix for CVE-2025-40602 remains essential for complete protection and must be applied as outlined in the latest security advisory.
(Source: HelpNet Security)
