SonicWall has released critical security updates to remediate an actively exploited vulnerability affecting its Secure Mobile Access (SMA) 100 series appliances, urging organizations to patch immediately to prevent compromise.
The flaw, tracked as CVE-2025-40602 and assigned a CVSS score of 6.6, is a local privilege escalation vulnerability caused by insufficient authorization checks within the Appliance Management Console (AMC). Successful exploitation allows attackers to escalate privileges on affected devices.
Affected Versions and Fixed Releases
The vulnerability impacts multiple SMA 100 firmware versions, as outlined below:
- Version 12.4.3-03093 (platform-hotfix) and earlier
- Version 12.5.0-02002 (platform-hotfix) and earlier
SonicWall confirmed that CVE-2025-40602 has been exploited in the wild, raising the urgency for organizations running vulnerable firmware.
Chained Exploitation Enables Root-Level RCE
According to SonicWall, threat actors have leveraged CVE-2025-40602 in combination with CVE-2025-23006, a critical vulnerability with a CVSS score of 9.8, to achieve unauthenticated remote code execution (RCE) with root privileges.
Notably, CVE-2025-23006 was previously patched in January 2025 with the release of version 12.4.3-02854 (platform-hotfix). However, chaining both vulnerabilities significantly increases the impact, allowing attackers to fully compromise exposed SMA devices.
Discovery and Threat Attribution
The vulnerability was discovered and responsibly disclosed by Clément Lecigne and Zander Work from the Google Threat Intelligence Group (GTIG). At this time, SonicWall has not disclosed details regarding the scope of exploitation or the threat actors responsible.
Earlier in July 2025, Google reported tracking a threat cluster known as UNC6148, which targeted fully patched but end-of-life SonicWall SMA 100 devices to deploy a stealthy backdoor named OVERSTEP. While it remains unclear whether these campaigns are directly related, the overlap has heightened concerns around SMA device security.
CISA Adds CVE-2025-40602 to KEV Catalog
Update: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added CVE-2025-40602 to its Known Exploited Vulnerabilities (KEV) catalog, confirming real-world exploitation.
As a result, Federal Civilian Executive Branch (FCEB) agencies are mandated to apply the necessary patches by December 24, 2025, to mitigate the risk and secure federal networks.
Security Recommendations
Given the confirmed active exploitation, SonicWall strongly advises:
- Immediately upgrading to the latest fixed firmware versions
- Auditing SMA access logs for signs of suspicious activity
- Restricting management interface exposure to trusted networks only
- Decommissioning end-of-life SMA devices where possible
Conclusion
The active exploitation of CVE-2025-40602 highlights the continued targeting of edge security appliances by advanced threat actors. Organizations using SonicWall SMA 100 series devices should treat this issue as high priority, applying patches without delay to prevent unauthorized access, privilege escalation, and potential network compromise.