SonicWall has issued a disclosure regarding a vulnerability affecting its SMA1000 access platform, noting that the flaw is currently subject to active exploitation in combination with previously identified issues.
The newly identified vulnerability, tracked as CVE-2025-40602, is a medium-severity local privilege escalation flaw within the SMA1000 appliance management console (AMC). Assigned a CVSS score of 6.6, the issue arises from insufficient authorization protocols within the AMC, as detailed in SonicWall’s technical advisory.
According to the vendor, this vulnerability has been observed in active campaigns where threat actors combine it with an older critical flaw, CVE-2025-23006. This preceding critical vulnerability, which also affects SMA100 devices, was subject to zero-day exploitation activity in January.
SonicWall’s analysis clarifies the dependency between these issues. "The only known exploitation paths for CVE-2025-40602 (CVSS 6.6) require either that CVE-2025-23006 (CVSS 9.8) remains unpatched, or that the threat actor already possesses access to a local system account," the advisory states.
Assessment of Exploitation Activity
While the full scope and origin of the activity involving CVE-2025-40602 remain under investigation, the chaining of vulnerabilities highlights the importance of comprehensive patch management. SonicWall’s advisory does not currently provide specific metrics on the volume of exploitation. When contacted for further details, the vendor provided a statement but did not comment directly on specific attribution or attack volume.
Discovery of CVE-2025-40602 is credited to researchers Clément Lecigne and Zander Work of Google's Threat Intelligence Group.
Remediation and Mitigation Strategies
SonicWall strongly advises organizations to apply the available hotfixes to secure their environments. The vulnerability is resolved in the following versions:
- Version 12.4.3-03245 and higher
- Version 12.5.0-02283 and higher
For organizations unable to immediately apply updates, SonicWall recommends specific compensating controls:
Restrict access to the AMC to SSH only, routed through a VPN or specified administrator IP addresses.
Disable the SSL VPN management interface in the AMC and block SSH access from the public internet.
The vendor notes that the risk profile is heavily dependent on the status of the earlier vulnerability. "If CVE-2025-23006 has not been patched, the system is already exposed to a critical vulnerability. In this scenario, chaining CVE-2025-40602 does not materially increase the overall risk or attack surface," SonicWall explained.
Broader Security Context
This disclosure is the latest in a series of security events affecting SonicWall environments this year. In October, the vendor confirmed that unauthorized parties accessed a cloud backup service, obtaining firewall configuration data for customers utilizing the service.
Additionally, during the summer, customers experienced a campaign of activity attributed to the Akira ransomware group. While initial research suggested a potential new zero-day vulnerability, SonicWall later confirmed that the actors were utilizing an older vulnerability, CVE-2024-40766, which affects firewall devices.