Key Findings

• SonicWall has released fixes to address a security flaw, CVE-2025-40602, in its Secure Mobile Access (SMA) 100 series appliances.

• The vulnerability, with a CVSS score of 6.6, allows for local privilege escalation due to insufficient authorization in the appliance management console (AMC).

• The vulnerability was reported to be exploited in combination with CVE-2025-23006 (CVSS 9.8) to achieve unauthenticated remote code execution with root privileges.

• CVE-2025-23006 was previously patched by SonicWall in late January 2025 in version 12.4.3-02854 (platform-hotfix).

• Clément Lecigne and Zander Work of the Google Threat Intelligence Group (GTIG) discovered and reported CVE-2025-40602.

• There are currently no details on the scale of the attacks and the entities behind them.

Background

In July, Google reported that it is tracking a threat group, UNC6148, that is targeting fully-patched end-of-life SonicWall SMA 100 series devices to drop a backdoor called OVERSTEP. It is unclear if the current attacks are related to this campaign.

Mitigation

SonicWall strongly advises users of the SMA1000 product to upgrade to the latest hotfix release version to address the vulnerability. The fixed versions are:

• 12.4.3-03245 (platform-hotfix) and higher

• 12.5.0-02283 (platform-hotfix) and higher

Given the active exploitation of the vulnerability, it is essential that SonicWall SMA 100 series users apply the fixes as soon as possible.

Sources

• https://thehackernews.com/2025/12/sonicwall-fixes-actively-exploited-cve.html

• https://securityaffairs.com/185809/hacking/sonicwall-warns-of-actively-exploited-flaw-in-sma-100-amc.html