Blog Trainings Request a Demo Login
Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | CVE-2025-40602: SonicWall SMA1000 Vulnerability Actively Exploited
Table Of Content
Related Articles
SOCRadar® Cyber Intelligence Inc. | Handala Claims It Disrupted Israeli Radar Systems: Here's What We Actually Know
Handala Claims It Disrupted Israeli Radar Systems: Here's What We Actually Know
Jun 08, 2026
SOCRadar® Cyber Intelligence Inc. | CVE-2026-20230: Cisco Unified CM WebDialer SSRF Can Lead to Root-Level Compromise
CVE-2026-20230: Cisco Unified CM WebDialer SSRF Can Lead to Root-Level Compromise
Jun 05, 2026
SOCRadar® Cyber Intelligence Inc. | HTTP/2 Bomb: How Default Configurations Open a New DoS Vector
HTTP/2 Bomb: How Default Configurations Open a New DoS Vector
Jun 04, 2026
SOCRadar® Cyber Intelligence Inc. | CVE-2025-48595: June 2026 Android Security Update Fixes Framework Zero-Day
CVE-2025-48595: June 2026 Android Security Update Fixes Framework Zero-Day
Jun 03, 2026
SOCRadar® Cyber Intelligence Inc. | Charter Data Breach: ShinyHunters Claims 42 Million Records Stolen on the Dark Web
Charter Data Breach: ShinyHunters Claims 42 Million Records Stolen on the Dark Web
May 29, 2026
Free Dark Web Report
Is your Domain/Email Exposed?
Dec 18, 2025
4 Mins Read
Moon

CVE-2025-40602: SonicWall SMA1000 Vulnerability Actively Exploited

SonicWall has released security updates to address a newly disclosed vulnerability (CVE-2025-40602) affecting its Secure Mobile Access (SMA) 1000 series appliances.

The issue is noteworthy not only because it impacts a widely deployed remote access product, but also because it has already been observed in active exploitation scenarios. When chained with another previously disclosed flaw, attackers could potentially achieve high-impact outcomes on unpatched systems.

This blog provides a clear, factual overview of the vulnerability, including what is affected, how the flaw can be exploited, and what actions administrators should take now to reduce risk.

What is CVE-2025-40602?

CVE-2025-40602 (CVSS 6.6) is a local privilege escalation vulnerability caused by insufficient authorization checks within the SonicWall SMA1000 Appliance Management Console (AMC). In practical terms, a user with limited access could exploit this weakness to gain elevated privileges on the appliance.

The vulnerability has a moderate severity on its own. However, its real-world relevance increased after reports confirmed that it has been exploited alongside another SonicWall flaw, amplifying the overall risk.

Which SonicWall Products and Versions Are Affected?

The issue affects SonicWall SMA1000 appliances running specific platform-hotfix versions:

  • 12.4.3-03093 and earlier
  • 12.5.0-02002 and earlier

SonicWall has clarified in its advisory that SonicWall firewall products and SSL-VPN services on firewalls are not impacted. The vulnerability is limited to the SMA1000 product line and its management console.

How Can CVE-2025-40602 Be Exploited?

On its own, CVE-2025-40602 allows privilege escalation for an authenticated user with existing access. The risk increases significantly when it is chained with CVE-2025-23006, a critical pre-authentication deserialization vulnerability in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC).

Tracked with a CVSS score of 9.8, CVE-2025-23006 allows remote, unauthenticated attackers to execute arbitrary operating system commands under specific conditions. In early 2025, SonicWall’s Product Security Incident Response Team (PSIRT) confirmed that this flaw was actively exploited as a zero-day prior to patching.

Details of CVE-2025-23006 (SOCRadar Vulnerability Intelligence)

Details of CVE-2025-23006 (SOCRadar Vulnerability Intelligence)

When exploited together, attackers could leverage CVE-2025-23006 for initial access and Remote Code Execution (RCE), then abuse CVE-2025-40602 to escalate privileges to the root level. This chaining technique demonstrates how an initially authenticated flaw can become significantly more dangerous when paired with a pre-authentication vulnerability.

CISA Adds the Latest SonicWall SMA1000 Flaw to the KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-40602 to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. Federal Civilian Executive Branch agencies are required to apply fixes by December 24, 2025.

While this mandate applies to U.S. federal agencies, the KEV listing is widely used by private-sector organizations as a trusted indicator of real-world risk and patching priority.

How Can You Address CVE-2025-40602?

SonicWall has released platform-hotfixes that fully address the issue:

  • 12.4.3-03245 or later
  • 12.5.0-02283 or later

For environments that cannot patch immediately, SonicWall recommends interim mitigations such as:

  • restricting access to the appliance management console,
  • limiting SSH access to trusted networks,
  • and disabling public-facing management interfaces.

Applying the latest hotfix remains the most effective way to reduce exposure.

Improve Vulnerability Response With SOCRadar’s Threat Intelligence

SOCRadar’s Cyber Threat Intelligence module provides timely visibility into actively exploited vulnerabilities by aggregating CVE disclosures, exploitation evidence, threat actor activity, and CISA KEV updates in one place. This enables security teams to quickly understand whether a vulnerability like CVE-2025-40602 is being abused in real-world attacks and how it is being leveraged.

SOCRadar’s Vulnerability Intelligence

SOCRadar’s Vulnerability Intelligence

In addition, SOCRadar’s Attack Surface Management (ASM) continuously maps internet-facing assets and identifies exposed services and devices. By linking threat intelligence with asset visibility, teams can determine whether affected products are reachable and prioritize remediation efforts based on actual exposure.