SonicWall patches actively exploited flaw vulnerability chain in SMA 1000 appliances
Take action: If you have SonicWall SMA 1000 appliances, make sure their SSH and management access is isolated from the public internet and only accessible from trusted networks. Review latest version, and if not up-to date patched, plan a very quick upgrade to platform-hotfix 12.4.3-03245 or 12.5.0-02283 (or higher). Your devices are being hacked, and you can't really hide them from the internet.
Learn More
SonicWall is reporting a local privilege escalation vulnerability in its Secure Mobile Access (SMA) 1000 appliances that has been actively exploited in the wild as part of an attack chain.
The vulnerability is tracked as CVE-2025-40602 (CVSS score 6.6), affects the appliance management console (AMC) and allows authenticated remote attackers to escalate privileges. SonicWall confirmed that the vulnerability was used in combination with a previously patched critical flaw. CVE-2025-40602 is chained in attacks with CVE-2025-23006 (CVSS score 9.8), a deserialization of untrusted data vulnerability that was patched in January 2025. CVE-2025-40602 alone requires authentication to exploit, when combined with the unpatched CVE-2025-23006, the attack chain enables unauthenticated remote code execution with root privileges on vulnerable SMA 1000 appliances.
Affected versions of SonicWall SMA 1000 include platform-hotfix version 12.4.3-03093 and all earlier versions, as well as platform-hotfix version 12.5.0-02002 and all earlier versions.
SonicWall has released patches to address the vulnerability, with fixed versions available as platform-hotfix 12.4.3-03245 and higher, as well as platform-hotfix 12.5.0-02283 and higher.
Organizations can verify their current version and download the latest platform-hotfix from mysonicwall.com. According to SonicWall's security advisory, the only known exploitation paths for CVE-2025-40602 require either that CVE-2025-23006 remains unpatched or that the threat actor already possesses access to a local system account.
SonicWall Product Security Incident Response Team strongly advises all users of SMA 1000 products to upgrade immediately to the latest hotfix release versions to patch both vulnerabilities in the exploitation chain. Organizations unable to patch should limit SSH access only via VPN or specific administrator IP addresses and disable SSL VPN management interface (AMC) and SSH access from the public internet.
