SonicWall has issued an urgent security advisory warning of active exploitation of a local privilege escalation vulnerability affecting its SMA1000 appliances.
The flaw, tracked as CVE-2025-40602, enables attackers with management console access to gain elevated privileges and potentially achieve complete system control.
The vulnerability stems from insufficient authorization checks in the SonicWall SMA1000 Appliance Management Console (AMC).
| Field | Value |
|---|---|
| Vulnerability Name | SonicWall SMA1000 Local Privilege Escalation |
| CVE ID | CVE-2025-40602 |
| Advisory ID | SNWLID-2025-0019 |
| CVSS Score | 6.6 (Medium) |
Researchers from Google Threat Intelligence Group discovered that the security flaw could be chained with another critical vulnerability to achieve unauthenticated remote code execution with root-level privileges.
This two-stage attack represents a significant risk for organizations relying on SonicWall’s remote access infrastructure.
The vulnerability affects SMA1000 devices running platform-hotfix versions 12.4.3-03093 and earlier, as well as 12.5.0-02002 and earlier.
SonicWall clarified that this flaw does not impact SSL-VPN functionality on standalone firewalls, limiting exposure but still presenting substantial risk to SMA1000 appliance users.
Threat actors are actively leveraging CVE-2025-40602 in combination with CVE-2025-23006, a separate critical vulnerability with a CVSS score of 9.8.
The previous flaw was remedied in build version 12.4.3-02854, released January 22, 2025. The chaining of these vulnerabilities allows attackers to bypass authentication entirely and execute malicious code with root access.
SonicWall has released patched versions to address the vulnerability. Organizations must upgrade to platform-hotfix 12.4.3-03245 or higher, or 12.5.0-02283 or higher to obtain protection. The security patches are available through mysonicwall.com for registered users.
Until patching is completed, SonicWall recommends implementing strict access controls on the Appliance Management Console.
Administrators should restrict SSH access exclusively to company VPN connections or designated administrative IP addresses.
Additionally, disabling public internet access to the AMC and SSH services is strongly advised as a temporary mitigation measure.
SonicWall PSIRT urges all SMA1000 users to prioritize upgrading to the latest hotfix release immediately.
Given the active exploitation and critical nature of the vulnerability when combined with CVE-2025-23006, organizations face urgent pressure to deploy fixes across their infrastructure.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.