SonicWall SMA100 Series N-day Vulnerabilities Technical Details Revealed

Multiple critical vulnerabilities affecting SonicWall’s SMA100 series SSL-VPN appliances, highlighting persistent security flaws in network infrastructure devices. 

The vulnerabilities, designated CVE-2025-40596, CVE-2025-40597, and CVE-2025-40598, demonstrate fundamental programming errors that enable pre-authentication attacks against firmware version 10.2.1.15.

Key Takeaways
1. Stack overflow, heap overflow, and XSS in SonicWall SMA100 SSL-VPN devices.
2. Both overflows triggered without authentication via malformed HTTP requests.
3. Unsafe programming practices continue in critical network infrastructure.

CVE-2025-40596: Pre-Authentication Stack Buffer Overflow 

According to WatchTower Labs’ analysis, the vulnerability represents a classic stack-based buffer overflow triggered through malformed HTTP requests to the /__api__/ endpoint. 

The flaw within the /usr/src/EasyAccess/bin/httpd binary is responsible for processing incoming SSL-VPN connections.

The vulnerable code utilizes an unsafe sscanf function call that parses user-controlled URI data without proper bounds checking. 

When the system encounters requests beginning with /__api__/, it copies user input into a 0x800-byte stack buffer located at [rsp+898h+var_878] without validating input length.

Exploitation requires minimal effort, achievable through a simple Python one-liner: import requests; requests.get(“https://x.x.x.x/__api__/v1/”+’A’*3000,verify=False). 

While stack protection mechanisms limit immediate exploitation potential, the vulnerability’s pre-authentication nature in an SSL-VPN context raises significant security concerns.

CVE-2025-40597: Heap Overflow 

The second vulnerability affects the mod_httprp.so module, likely standing for “HTTP Reverse Proxy,” which handles various SonicWall-specific HTTP parsing functions. 

This heap-based buffer overflow occurs during Host header processing, demonstrating how even “secure” programming practices can fail when implemented incorrectly.

The vulnerable code allocates a 128-byte heap chunk via calloc(0x80, 1) before passing it to __sprintf_chk. 

Despite using the supposedly safer sprintf variant, developers passed -1 (0xFFFFFFFFFFFFFFFF) as the size parameter, effectively disabling bounds checking entirely.

This configuration allows attackers to overflow the allocated heap chunk by sending oversized Host headers: import requests; requests.get(“https://x.x.x.x/__api__/”, headers={‘Host’:’A’*750}, verify=False). 

The overflow corrupts adjacent heap metadata, potentially enabling more sophisticated exploitation techniques.

CVE-2025-40598: Cross-site Scripting Flaw

The third vulnerability represents a straightforward reflected cross-site scripting flaw in the radiusChallengeLogin CGI endpoint. 

The state parameter reflects user input directly into HTTP responses without sanitization or encoding.

Exploitation requires minimal sophistication: https://x.x.x.x/cgi-bin/radiusChallengeLogin?portalName=portal1&status=needchallenge&state=”>. 

Notably, the SMA100’s Web Application Firewall features appear disabled on management interfaces, allowing even basic XSS payloads to execute successfully.

These vulnerabilities underscore persistent security challenges in network appliance development, where fundamental programming errors continue enabling pre-authentication attacks against critical infrastructure components. 

SonicWall has published an advisory addressing these issues through its Product Security Incident Response Team.

Organizations relying on SonicWall SMA100 series devices should immediately apply available patches and consider implementing additional network-level protections until full remediation is achieved.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches