Key Takeaways
- SonicWall has released patches to fix a security vulnerability in its Secure Mobile Access (SMA) 100 series appliances, which has been actively exploited in the wild.
- The vulnerability, tracked as CVE-2025-40602, is a local privilege escalation flaw that arises from insufficient authorization in the appliance management console (AMC).
- The flaw affects specific versions of the SMA 100 series, including 12.4.3-03093 and earlier, as well as 12.5.0-02002 and earlier.
- The vulnerability was reported to be used in combination with another flaw, CVE-2025-23006, to achieve unauthenticated remote code execution with root privileges.
- Users of the affected SMA 100 series appliances are advised to apply the fixes as soon as possible to prevent potential attacks.
Introduction to the Vulnerability
The security vulnerability in question, tracked as CVE-2025-40602, is a local privilege escalation flaw that affects the Secure Mobile Access (SMA) 100 series appliances from SonicWall. This flaw arises from insufficient authorization in the appliance management console (AMC), which can be exploited by attackers to gain elevated privileges on the affected system. The CVSS score for this vulnerability is 6.6, indicating a moderate level of severity. SonicWall has released patches to fix this vulnerability, and users of the affected appliances are advised to apply these fixes as soon as possible to prevent potential attacks.
Affected Versions and Fixes
The vulnerability affects specific versions of the SMA 100 series, including 12.4.3-03093 and earlier, as well as 12.5.0-02002 and earlier. The patched versions are 12.4.3-03245 (platform-hotfix) and 12.5.0-02283 (platform-hotfix), respectively. It is essential for users to check their appliance versions and apply the corresponding fixes to ensure the security of their systems. The fact that this vulnerability has been actively exploited in the wild underscores the importance of prompt action in applying these patches.
Combination with Another Vulnerability
The vulnerability in question was reported to be used in combination with another flaw, tracked as CVE-2025-23006, to achieve unauthenticated remote code execution with root privileges. This other vulnerability, which has a CVSS score of 9.8, indicating a critical level of severity, was patched by SonicWall in late January 2025 in version 12.4.3-02854 (platform-hotfix). The combination of these two vulnerabilities can lead to severe security consequences, including the execution of arbitrary code with root privileges, which can result in complete system compromise.
Discovery and Reporting
The discovery and reporting of the CVE-2025-40602 vulnerability are credited to Clément Lecigne and Zander Work of the Google Threat Intelligence Group (GTIG). Their efforts in identifying and reporting this vulnerability have contributed significantly to the security community’s understanding of the threat landscape and have prompted SonicWall to release patches to address the issue. The fact that Google is tracking a cluster named UNC6148, which targets fully-patched end-of-life SonicWall SMA 100 series devices as part of a campaign designed to drop a backdoor called OVERSTEP, suggests that there may be a broader campaign targeting these appliances.
Conclusion and Recommendations
In light of the active exploitation of the CVE-2025-40602 vulnerability, it is crucial that users of the affected SMA 100 series appliances apply the fixes as soon as possible. The combination of this vulnerability with other flaws can lead to severe security consequences, including unauthenticated remote code execution with root privileges. Therefore, prompt action is necessary to ensure the security of these systems. Users should check their appliance versions, apply the corresponding patches, and remain vigilant for any signs of potential attacks. By taking these steps, users can help protect their systems from the potential risks associated with this vulnerability.