SonicWall Addresses Actively Exploited Vulnerability in SMA 100 Series

SonicWall has released critical security patches to fix a vulnerability in its Secure Mobile Access (SMA) 100 series appliances that attackers are actively exploiting in the wild. The local privilege escalation flaw, identified as CVE-2025-40602, stems from insufficient authorization in the appliance management console.

Security experts warn that attackers are combining this vulnerability with a previously patched critical flaw to achieve unauthenticated remote code execution with root privileges. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities catalog, requiring federal agencies to apply fixes by December 24.

Understanding the vulnerability and its impact

The vulnerability, assigned a CVSS score of 6.6, affects SMA 100 series appliances running specific versions of SonicWall's software. According to SonicWall's security advisory, the flaw is particularly dangerous when combined with CVE-2025-23006 (CVSS score 9.8), which the company patched in January 2025.

"This combination allows attackers to achieve unauthenticated remote code execution with root privileges," SonicWall stated in its advisory.

The affected versions include:

• 12.4.3-03093 (platform-hotfix) and earlier versions
• 12.5.0-02002 (platform-hotfix) and earlier versions

SonicWall has fixed the issue in versions 12.4.3-03245 (platform-hotfix) and 12.5.0-02283 (platform-hotfix).

Google Threat Intelligence Group researchers Clément Lecigne and Zander Work discovered and reported the vulnerability. While details about the attack campaign's scale and perpetrators remain limited, this marks another significant security incident involving SonicWall products in 2025.

This vulnerability highlights why robust cybersecurity practices are critical for organizational protection in today's threat landscape, particularly for network infrastructure devices.

Previous SonicWall targeting and current threats

This latest vulnerability follows a concerning pattern of attacks against SonicWall devices. In July 2025, Google reported tracking a threat actor designated UNC6148 that targeted fully-patched but end-of-life SMA 100 series devices to deploy a backdoor called OVERSTEP.

Security researchers have not confirmed whether the current exploitation of CVE-2025-40602 is related to the UNC6148 campaign. However, the targeting of SonicWall devices highlights their popularity as attack vectors for sophisticated threat actors.

The vulnerability's addition to CISA's Known Exploited Vulnerabilities catalog underscores its severity. This designation requires Federal Civilian Executive Branch (FCEB) agencies to apply the fixes promptly, indicating the government's concern about potential exploitation.

Threat actor tactics and techniques

Advanced persistent threat (APT) groups often target network security devices like SMA 100 series appliances because they serve as critical entry points to corporate networks. By compromising these devices, attackers can establish persistent access, move laterally within networks, and exfiltrate sensitive data while remaining undetected.

Organizations should recognize that these attacks are often part of sophisticated campaigns that may target multiple vulnerabilities across different systems. The combination of CVE-2025-40602 with previously patched flaws demonstrates the sophisticated approach threat actors are taking to compromise network infrastructure.

What organizations should do now

Organizations using SonicWall SMA 100 series appliances should immediately apply the available security patches to protect against exploitation. Since attackers are actively targeting these systems, rapid patching is crucial to prevent unauthorized access and potential network compromise.

Security teams should:

1. Identify all deployed SonicWall SMA 100 series appliances in their environment
2. Verify current firmware versions against those identified as vulnerable
3. Apply the appropriate patches as soon as possible
4. Monitor systems for indicators of compromise, especially if patching was delayed

"In light of active exploitation, it's essential that SonicWall SMA 100 series users apply the fixes as soon as possible," SonicWall emphasized in its advisory.

Organizations should also implement network monitoring to detect potential exploitation attempts and consider implementing additional security controls to limit exposure until patching is complete.

Implementing a defense-in-depth strategy

Beyond patching, organizations should adopt a comprehensive defense-in-depth approach to protect their network infrastructure. This includes implementing network segmentation, deploying intrusion detection systems, and establishing robust logging and monitoring capabilities.

Small and medium-sized businesses are particularly vulnerable to these types of attacks and should consider implementing comprehensive cybersecurity measures designed for smaller organizations to protect their critical assets from increasingly sophisticated threats.

Continuous vulnerability management

Organizations should implement a continuous vulnerability management program that includes:

• Regular vulnerability scanning of network devices
• Subscribing to vendor security advisories
• Establishing an efficient patch management process
• Testing patches in a non-production environment before deployment
• Documenting patching procedures for critical infrastructure

Establishing incident response capabilities is equally important, as it enables organizations to quickly detect and respond to security incidents involving network infrastructure devices.

The broader VPN security landscape

This incident highlights ongoing security challenges with virtual private network (VPN) appliances, which have become prime targets for attackers due to their critical position in network infrastructure. VPN devices serve as gateways between trusted and untrusted networks, making them particularly valuable targets.

Similar vulnerabilities in VPN products from other vendors have been exploited in recent years. Just this month, WatchGuard warned of active exploitation of a critical Fireware OS VPN vulnerability, demonstrating that this threat pattern extends beyond SonicWall products.

Organizations can use this incident as an opportunity to review their VPN security posture by:

• Ensuring all VPN appliances receive regular security updates
• Implementing multi-factor authentication for VPN access
• Monitoring VPN access logs for suspicious activity
• Considering zero-trust architecture to reduce dependency on perimeter security

As remote work remains common, properly securing VPN infrastructure should be a priority for all organizations.

Alternative security architectures

Many security professionals are now recommending that organizations explore unified threat management solutions that combine multiple security functions into a single platform, reducing complexity and improving visibility across the security infrastructure.

Zero Trust Network Access (ZTNA) is emerging as a more secure alternative to traditional VPN solutions. Unlike VPNs that typically grant broad network access once a user is authenticated, ZTNA provides granular, least-privilege access to specific applications and services. This approach significantly reduces the attack surface and minimizes the impact of potential compromises.

For more information on securing network infrastructure devices, organizations can refer to the CISA guidance on securing network infrastructure devices, which provides comprehensive recommendations for protecting critical network components.

Conclusion

The active exploitation of CVE-2025-40602 in SonicWall SMA 100 series appliances represents a significant security threat that requires immediate attention. By combining this vulnerability with a previously patched flaw, attackers can gain complete control over vulnerable systems.

Organizations should prioritize patching affected systems immediately and implement monitoring for potential exploitation. The incident serves as a reminder that network security appliances require the same rigorous security maintenance as other critical infrastructure components.

For IT security teams, this development emphasizes the importance of maintaining comprehensive vulnerability management programs and staying current with security bulletins from all vendors in your environment.