Which SonicWall products are affected by CVE-2025-40599?

The vulnerability affects SonicWall SMA 100 Series products including SMA 210, SMA 410, and SMA 500v running firmware versions 10.2.1.15-81sv and earlier. It does not affect SonicWall SSL VPN SMA1000 series products or SSL-VPN functionality running on SonicWall firewalls.

Are there ongoing attacks targeting this vulnerability?

While there is currently no evidence that CVE-2025-40599 is being actively exploited, SonicWall reports ongoing attack campaigns targeting SMA devices. SonicWall is concerned about attackers potentially chaining this vulnerability with other exploited flaws, which is why they are urging immediate action.

How urgent is it to apply this security update?

SonicWall emphasizes urgent action is required to apply this security update due to ongoing attack campaigns targeting SMA devices. The vulnerability has a critical CVSS score of 9.1 and can lead to complete system compromise, making immediate patching essential for organizational security.

Should organizations import old configurations when updating SMA 500v appliances?

No, for SMA 500v virtual appliances, SonicWall specifically recommends rebuilding the configuration entirely rather than importing old configurations. This ensures a clean installation and helps prevent any potential security issues that might exist in previous configurations.

Advisory

SonicWall SMA100 vulnerability enables remote code execution

Q: What is CVE-2025-40599?

CVE-2025-40599 is a critical security vulnerability with a CVSS score of 9.1 affecting SonicWall's SMA100 series Secure Mobile Access appliances. It is a post-authentication arbitrary file upload vulnerability that allows authenticated users with administrative privileges to upload arbitrary files to the web management interface, potentially leading to complete system compromise through remote code execution.

Q: How can organizations protect themselves from CVE-2025-40599?

Organizations should immediately upgrade their SMA100 series devices to firmware version 10.2.2.1-90sv or higher. For SMA 500v virtual appliances, SonicWall recommends backing up the virtual appliance image, completely removing the existing virtual machine and associated virtual disks, downloading and reinstalling a clean virtual appliance image from mysonicwall.com, and rebuilding the configuration entirely.

published: July 24, 2025

Take action: For any network and secrity device - as a first step (and always) disable remote management access from the internet. If you have SonicWall SMA100 series devices (SMA 210, 410, or 500v), plan a quick upgrade to firmware version 10.2.2.1-90sv or higher. Attackers are actively targeting these devices. As an additional precaution, reset all administrator passwords.

Learn More

SonicWall is reporting a critical security vulnerability affecting three products in its SMA100 series of Secure Mobile Access appliances.

The vulnerability is tracked as CVE-2025-40599 (CVSS score 9.1), a post-authentication arbitrary file upload vulnerability that allows authenticated users with administrative privileges to upload arbitrary files to the SMA100 series web management interface.

A remote attacker who has obtained administrative access can upload malicious files to the system, leading to complete compromise through remote code execution.

SonicWall asks for urgency in applying this security update, since there are ongoing attack campaigns targeting SMA devices. Currently, there is no evidence that CVE-2025-40599 is being actively exploited, but SonicWall is concerned about chaining it with other exploited flaws.

SonicWall SMA 100 Series products SMA 210, 410, and 500v running firmware versions 10.2.1.15-81sv and earlier versions are vulnerable. The vulnerability does not affect SonicWall SSL VPN SMA1000 series products or SSL-VPN functionality running on SonicWall firewalls.

Organizations should upgrade their SMA100 series devices to firmware version 10.2.2.1-90sv or higher.

For organizations using the virtual SMA 500v appliance, SonicWall recommends backing up the virtual appliance image, completely removing the existing virtual machine and associated virtual disks, downloading and reinstalling a clean virtual appliance image from mysonicwall.com, and rebuilding the configuration entirely rather than importing old configurations.

SonicWall strongly recommends several additional security measures across all SMA100 series appliances: disabling remote management access on external-facing interfaces to reduce attack surface, resetting all user and administrator passwords, reinitializing one-time password bindings for all users, enforcing multi-factor authentication for all accounts, and enabling Web Application Firewall functionality on SMA100 devices.

Update - as if 23rd of September 2025, SonicWall released firmware update 10.2.2.2-92sv for SMA 100 series devices to remove OVERSTEP rootkit malware, which threat actor UNC6148 has been deploying to steal credentials, OTP seeds, and certificates for persistent access. The company strongly urges customers to upgrade immediately, especially as these end-of-life devices reach end-of-support on October 1, 2025.

SonicWall SMA100 vulnerability enables remote code execution

Read More
Zabbix patches critical SQL injection flaw, urges fast …
Apache Avro SDK reports arbitrary code execution flaw
Massive holiday exploitation campaign targets adobe ColdFusion, other …
MongoDB reports data breach at Atlas, customer metadata …
Critical Fortinet FortiWeb SQL injection vulnerability actively exploited