SonicWall SMA 1000 and SMA 100 series appliances face a critical local privilege escalation vulnerability, CVE-2025-40602, actively exploited in the wild and often chained with other flaws for full root compromise.
Vulnerability Breakdown
CVE-2025-40602 stems from missing authorization checks in the Appliance Management Console (AMC), enabling high-privileged users like admins to escalate to root-level actions. This affects SMA 1000 AMC versions 12.5.0-02002 and earlier, plus 12.4.3-03093 and earlier, but spares SonicOS firewalls and standard SSL VPN setups. CVSS scores it at 6.6 medium severity due to high prerequisites, yet the impact hits hard on confidentiality, integrity, and availability once triggered.
Attackers exploit this over the network with some complexity, typically after gaining initial admin access. No public proof-of-concept exists, but scanners like Nessus have plugins to detect it.
Real-World Exploitation
Threat actors chain CVE-2025-40602 with CVE-2025-23006, a deserialization RCE, for unauthenticated root code execution on end-of-support SMA devices. This combo allows backdoor installs, new user creation, and lateral movement from the appliance. Multiple security firms confirm wild exploitation as a zero-day before SonicWall’s patch.
Patch and Affected Systems
SonicWall released hotfixes on December 17, 2025, via advisory SNWLID-2025-0019—apply them immediately to vulnerable SMA 1000/100 series builds. Even end-of-support hardware gets these platform-specific fixes.
Detection Strategies
Scan AMC logs for unusual admin actions, privilege shifts, or commands from unexpected sources. Watch for deserialization signs tied to CVE-2025-23006, rogue users, or outbound C2 from the appliance. Tools like Qualys or Tenable now flag this via updated plugins.
Mitigation Steps
- Deploy hotfixes right away from SonicWall’s PSIRT portal.
- Lock down AMC to VPN/management nets only, enforce MFA, and minimize high-priv accounts.
- Post-patch, audit logs, rotate creds, and reimage if compromise seems likely.
This flaw underscores the risks of legacy VPN gear in perimeter defense—patch fast and layer controls to stay ahead of attackers targeting enterprise edges.
