SonicWall Urges Patch After 3 Major VPN Vulnerabilities Disclosed

Cybersecurity firm watchTowr has uncovered multiple serious vulnerabilities within SonicWall’s SMA100 series SSL-VPN appliances, highlighting ongoing security challenges in widely used network infrastructure devices.

The in-depth research, which includes three critical CVEs, was shared with Hackread.com. The findings, confirmed against firmware version 10.2.1.15 and earlier versions, expose flaws that watchTowr Labs’ experts described as feeling “preserved in amber from a more naïve era of C programming.” Despite advancements in security, pre-authentication buffer overflows continue to surface.

Among the vulnerabilities is CVE-2025-40596, a stack-based buffer overflow with a High severity CVSS score of 7.3. This flaw can be triggered before a user even logs in and resides in the httpd program, which handles incoming web requests. It incorrectly uses the sscanf function to parse parts of a web address, allowing too much data to be copied into a small memory space.

According to researchers, its exploitation could lead to Denial of Service (DoS) or potentially remote code execution (RCE). While SonicWall’s software has stack protection, the presence of such a basic flaw in 2025 is concerning.

Another significant issue, CVE-2025-40597, is a heap-based buffer overflow, also exploitable without authentication and rated High severity with a CVSS score of 7.5. This bug is found in the mod_httprp.so component, which handles HTTP requests.

The problem arises because a “safe” version of the sprintf function was used incorrectly, allowing an attacker to write past allocated memory when crafting a malicious Host: header. This could corrupt adjacent memory, and also potentially lead to Denial of Service or RCE, though watchTowr noted that exploiting this for full RCE was challenging due to the dynamic nature of the server.

Finally, CVE-2025-40598 reveals a reflected Cross-Site Scripting (XSS) vulnerability, with a Medium severity CVSS score of 6.1. This classic web flaw allows attackers to inject malicious code into a web page, which then runs in a user’s browser if they visit a specially crafted link.

What’s worse, even basic XSS payloads worked because the appliance’s Web Application Firewall (WAF) feature appeared to be disabled on its management interfaces, meaning it offered no protection against this type of attack.

watchTowr emphasised that while some of these vulnerabilities might be difficult to fully exploit for RCE, their very existence in modern devices is problematic. The researchers urge organisations to immediately apply available patches, specifically upgrading to firmware version 10.2.2.1-90sv or higher.

SonicWall advises enabling multi-factor authentication (MFA) and ensuring the WAF feature is active on SMA100 appliances as additional protective measures.  SonicWall has also released an advisory regarding these vulnerabilities.