SonicWall SMA1000 Zero-Day Exploited in Active Attacks
▼ Summary
– SonicWall has issued a patch for a medium-severity local privilege escalation flaw (CVE-2025-40602) in its SMA1000 Appliance Management Console.
– This vulnerability was chained with a critical pre-authentication flaw (CVE-2025-23006) in zero-day attacks to achieve unauthenticated remote code execution.
– Over 950 SMA1000 appliances are currently exposed online, posing a high risk to enterprises and critical infrastructure if unpatched.
– The SMA1000 is a critical secure remote access appliance, and SonicWall strongly advises users to upgrade to the latest hotfix release.
– This advisory follows recent SonicWall security incidents, including a state-backed breach and exploitation of a patched firewall vulnerability by ransomware gangs.
SonicWall has issued an urgent security alert, advising users of its SMA1000 secure remote access appliances to immediately apply a critical update. The warning follows the discovery of active attacks exploiting a newly identified vulnerability. This medium-severity local privilege escalation flaw, tracked as CVE-2025-40602, was chained with a previously patched critical bug to enable remote attackers to execute arbitrary commands with the highest system privileges.
The vulnerability was discovered and reported by researchers from Google’s Threat Intelligence Group. Importantly, SonicWall confirmed that this specific security issue does not impact the SSL-VPN functionality running on its firewall products. The company’s Product Security Incident Response Team (PSIRT) is strongly urging all SMA1000 administrators to upgrade to the latest hotfix release without delay to close this security gap.
In the observed attacks, threat actors combined this new flaw with a critical pre-authentication deserialization vulnerability, identified as CVE-2025-23006. This dangerous combination allowed for unauthenticated remote code execution with root-level access under specific conditions. The critical CVE-2025-23006 was previously addressed in a platform hotfix released on January 22, 2025, meaning systems already updated to build 12.4.3-02854 or later are protected from that component of the attack chain.
Network monitoring by the Shadowserver Foundation indicates there are currently more than 950 SMA1000 appliances directly accessible from the internet. While some of these may already be patched, the exposure highlights a significant potential attack surface. The SMA1000 series is a cornerstone for secure remote access in many large enterprises, government agencies, and critical infrastructure organizations, making any unpatched vulnerability a high-value target for malicious actors.
This latest security incident is part of a broader pattern of challenges for SonicWall’s ecosystem. Just last month, the company connected a state-sponsored hacking group to a September breach that resulted in the exposure of customer firewall configuration files. That event occurred shortly after external researchers warned that over one hundred SonicWall SSL-VPN accounts had been compromised through the use of stolen login credentials.
In recent months, SonicWall has also addressed other serious threats. During September, it released a firmware update designed to help administrators remove the persistent OVERSTEP rootkit, which had been deployed in attacks targeting its SMA 100 series devices. Furthermore, the company previously investigated and dismissed claims that the Akira ransomware gang was using a new zero-day exploit against its Gen 7 firewalls. Instead, SonicWall, along with independent confirmation from Rapid7 and the Australian Cyber Security Centre, tied those incidents to the exploitation of a critical vulnerability (CVE-2024-40766) for which a patch had been available since November 2024.
(Source: Bleeping Computer)
