SonicWall SMA 100 Vulnerabilities Allow Remote Execution of Arbitrary JavaScript

Cybersecurity vendor SonicWall issued a critical advisory highlighting three serious vulnerabilities affecting its Secure Mobile Access (SMA) 100 series appliances.

Impacting SMA 210, SMA 410, and SMA 500v models running firmware version 10.2.1.15-81sv and earlier, the flaws could allow unauthenticated remote attackers to trigger denial-of-service conditions or execute arbitrary code and JavaScript.

The advisory, tracked as SNWLID-2025-0012, was both published and last updated on July 23, 2025, and assigns a CVSS v3 base score of 7.3 to the two buffer-overflow issues and 6.3 to the XSS bug.

Designated CVE-2025-40596 and CVE-2025-40597, the first two vulnerabilities reside in the SMA 100 web interface and exploit stack- and heap-based buffer overflow conditions respectively.

Both are pre-authentication flaws that permit remote execution of arbitrary code or can crash the appliance, potentially causing denial of service.

Classified under CWE-121 and CWE-122, these issues share an identical CVSS vector of CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L. Because they require no valid credentials or user interaction, they represent a high risk for unmitigated compromise of VPN access infrastructure.

Separately, CVE-2025-40598 represents a reflected cross-site scripting vulnerability in the same web interface, allowing an attacker to inject malicious JavaScript into unsuspecting user sessions.

With a CVSS v3 base score of 6.3 and a vector string of CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L, this flaw is classified as CWE-79.

Although successful exploitation requires a user to click a crafted link, the potential for credential theft, session hijacking, or delivery of additional exploits underscores the severity of the issue.

SonicWall confirms that no functional workaround exists for these vulnerabilities, stressing that affected users must apply the fixed firmware release version 10.2.2.1-90sv or later to mitigate the risks.

The advisory clarifies that SSL-VPN SMA1000 series products and SSL-VPNs running on SonicWall firewalls are not affected, isolating the concern to SMA 100 series hardware.

Administrators are urged to enable multifactor authentication at the appliance or directory level and activate the built-in web application firewall feature on all SMA 100 devices to bolster defenses during the patching process.

The potential impact of these vulnerabilities extends from service disruption through denial-of-service conditions to the full compromise of appliance management interfaces and theft of sensitive credentials.

In enterprise environments where SMA appliances serve as remote access gateways, successful exploitation could enable threat actors to pivot into internal networks, exfiltrate data, or deploy ransomware.

While SonicWall reports no evidence to date of in-the-wild exploitation, the publication of proof-of-concept exploits may accelerate attempts against unpatched devices.

SonicWall has updated its security advisories page with detailed instructions, direct download links to the fixed firmware, and guidance on verifying device versions.

Administrators are advised to schedule a maintenance window to install updates, validate functionality post-upgrade, and monitor logs for any anomalous activity.

Enabling multifactor authentication and the embedded web application firewall further strengthens resistance against unauthorized access.

Organizations should also monitor threat intelligence feeds for emerging indicators of compromise related to these CVEs to ensure ongoing vigilance.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now