Security researchers have discovered a critical privilege escalation vulnerability in SonicWall’s SMA1000 appliance that attackers are actively exploiting to gain unauthorized administrative access.
The vulnerability, tracked as CVE-2025-40602, affects the appliance management console and poses a significant risk to enterprise networks relying on SonicWall’s remote access solutions.
SonicWall PSIRT disclosed the flaw on December 17, 2025, revealing that the SMA1000 appliance suffers from insufficient authorization controls in its management interface.
This allows authenticated attackers to escalate their privileges and potentially compromise the entire appliance.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2025-40602 |
| Advisory ID | SNWLID-2025-0019 |
| Vulnerability Type | Local Privilege Escalation (CWE-862, CWE-250) |
| CVSS v3 Score | 6.6 |
| CVSS Vector | CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H |
| Affected Product | SonicWall SMA1000 |
The vulnerability received a CVSS score of 6.6, indicating a medium-to-high severity rating.
The security advisory reveals a particularly alarming scenario: attackers have been chaining this vulnerability with CVE-2025-23006.
A separate unauthenticated remote code execution flaw with a CVSS score of 9.8. By combining both vulnerabilities.
Attackers can achieve unauthenticated remote code execution with root-level privileges, essentially gaining complete control over affected SMA1000 devices.
Affected versions include SMA1000 12.4.3-03093 and earlier, as well as 12.5.0-02002 and earlier. SonicWall has released patched versions: 12.4.3-03245 and 12.5.0-02283.
Impact on SonicWall SMA1000 Appliances
The company urges all users to upgrade immediately to these fixed versions available on mysonicwall.com. The vulnerability was discovered and reported by researchers Clément Lecigne and Zander Work from Google Threat Intelligence Group.
SonicWall emphasized that the flaw does not affect SSL-VPN running on SonicWall firewalls. Limiting the blast radius somewhat, though SMA1000 appliances remain critical targets.
Until patches are deployed, SonicWall PSIRT recommends implementing immediate mitigations: Restrict SSH access to the appliance management console only through VPN or allowed administrative IP addresses.
Disable SSL-VPN management interface access from the public internet. These workarounds help reduce exposure while organizations plan their patching schedule.
Given the active exploitation and the ease of chaining this vulnerability with CVE-2025-23006. Organizations managing SonicWall SMA1000 appliances should prioritize patching as an urgent security measure to prevent potential breaches and unauthorized access to their remote access infrastructure.
AI-Powered ISO 27001, SOC 2, NIST, NIS 2, and GDPR Compliance Checklist => Start for Free
