SonicWall warned customers today to patch a vulnerability in the SonicWall SMA1000 Appliance Management Console (AMC) that was chained in zero-day attacks to escalate privileges.
According to SonicWall, this medium-severity local privilege escalation security flaw (CVE-2025-40602) was reported by Clément Lecigne and Zander Work of the Google Threat Intelligence Group, and doesn’t affect SSL-VPN running on SonicWall firewalls.
“SonicWall PSIRT strongly advises users of the SMA1000 product to upgrade to the latest hotfix release version to address the vulnerability,” the company said in a Wednesday advisory.
Remote unauthenticated attackers chained this vulnerability with a critical-severity SMA1000 pre-authentication deserialization flaw (CVE-2025-23006) in zero-day attacks to execute arbitrary OS commands under specific conditions.
“This vulnerability was reported to be leveraged in combination with CVE-2025-23006 (CVSS score 9.8) to achieve unauthenticated remote code execution with root privileges. CVE-2025-23006 was remediated in build version 12.4.3-02854 (platform-hotfix) and higher versions (released on Jan 22, 2025).”
Internet watchdog Shadowserver currently tracks over 950 SMA1000 appliances exposed online, though some may already have been patched against this attack chain.
SMA1000 is a secure remote access appliance used by large organizations to provide VPN access to corporate networks. Given their critical roles across enterprises, government, and critical infrastructure organizations, unpatched flaws pose a particularly high risk of exploitation.
Last month, SonicWall linked state-backed hackers to a September security breach that exposed customers’ firewall configuration backup files, roughly one month after researchers warned of over 100 SonicWall SSLVPN accountscompromised using stolen credentials.
In September, it also released a firmware update to help IT admins remove OVERSTEP rootkit malware deployed in attacks against SMA 100 series devices.
One month earlier, SonicWall dismissed claims that the Akira ransomware gang was hacking Gen 7 firewalls using a potential zero-day exploit and tied the incidents to a critical vulnerability (CVE-2024-40766) patched in November 2024.
Cybersecurity firm Rapid7 and the Australian Cyber Security Center (ACSC) later confirmed SonicWall’s findings, saying the Akira gang is exploiting CVE-2024-40766 to target unpatched SonicWall devices.
Broken IAM isn’t just an IT problem – the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what “good” IAM looks like, and a simple checklist for building a scalable strategy.