Critical SonicWall SMA Vulnerability CVE-2025-40599: What You Need to Know
SonicWall has disclosed a critical vulnerability in its SMA 100 series remote access devices, tracked as CVE-2025-40599. This issue carries significant risk, particularly for organizations relying on these systems for secure connectivity. In this article, we outline the nature of the vulnerability, associated threats, and practical steps for mitigation.
What Is CVE-2025-40599?
CVE-2025-40599 (CVSS 9.1) is a critical security flaw affecting SonicWall’s Secure Mobile Access (SMA) 100 series appliances, including the SMA 210, 410, and 500v models. This vulnerability stems from an authenticated arbitrary file upload weakness within the web management interface. Exploitation requires administrative privileges, but successful attacks can lead to full Remote Code Execution (RCE).

CVE-2025-40599 vulnerability details (SOCRadar Vulnerability Intelligence)
The flaw specifically impacts SMA 100 firmware versions up to 10.2.1.15-81sv. SonicWall addressed the issue in the 10.2.2.1-90sv release, urging all users to upgrade immediately.
How the Vulnerability Can Be Exploited
Once authenticated, a remote attacker can upload arbitrary files to the appliance. This opens the door for executing malicious code and compromising the entire device. Although administrative privileges are needed, attackers may acquire them through previously stolen credentials or by exploiting other known vulnerabilities.
This vulnerability does not affect the SMA 1000 series or SSL-VPN features on SonicWall firewalls.
UNC6148 Attacks on SMA 100 Devices Using OVERSTEP Malware
While SonicWall has not confirmed active exploitation of CVE-2025-40599, there is mounting concern due to an associated malware campaign. Google’s Threat Intelligence Group (GTIG) recently disclosed that a threat actor, UNC6148, is deploying a sophisticated malware dubbed OVERSTEP on SMA 100 appliances.
UNC6148 reportedly uses stolen credentials and possibly zero-day exploits to access devices. In some attacks, they established VPN sessions using these credentials, launched reverse shells, and deployed the OVERSTEP malware. This backdoor and user-mode rootkit grants persistent, stealthy access by:
- Hijacking system libraries through /etc/ld.so.preload
- Monitoring and hijacking web server log data to receive commands
- Exfiltrating sensitive files
- Hiding processes, files, and logs to evade detection
GTIG’s research suggests OVERSTEP is an evolved variant of previously known tooling used in ransomware campaigns, such as Abyss (VSOCIETY).
Risks from Credential and OTP Seed Reuse
A concerning aspect of this campaign is the reuse of OTP seeds and admin credentials. UNC6148 appears to retain long-term access to appliances even after software patches are applied. According to GTIG, credentials may have been stolen during earlier intrusions exploiting a combination of older CVEs like CVE-2021-20038 and CVE-2024-38475.

SOCRadar Vulnerability Intelligence: Latest CVEs, exploits, and hacker trends
Do not wait for the next headline; get the inside scoop on vulnerabilities that criminals are actually using. SOCRadar’s Cyber Threat Intelligence module, via its Vulnerability Intelligence capabilities, delivers timely alerts on fresh exploits and attack trends so your team can focus on the patches that matter most, cutting down risk with smarter, faster decisions.
How to Mitigate CVE-2025-40599
SonicWall has issued a comprehensive advisory with specific mitigation steps. Here are the key recommendations:
Patch Immediately
Upgrade SMA 100 appliances to firmware version 10.2.2.1-90sv or later. This is the only version that remediates CVE-2025-40599.
Rebuild Compromised Virtual Machines
For virtual SMA 500v appliances:
- Backup the VM image for forensic analysis if needed.
- Delete the existing VM and remove all disks/snapshots.
- Download and deploy a clean appliance image.
- Do not reuse old configurations. Rebuild from scratch to ensure integrity.
Reset Credentials and OTP Bindings
- Reset all user and administrator passwords.
- Reinitialize One-Time Password (OTP) bindings.
- Revoke and reissue all stored certificates.
Enhance Access Controls
- Disable remote management on external-facing interfaces (e.g., X1).
- Enforce Multi-Factor Authentication (MFA).
- Enable Web Application Firewall (WAF).
Monitor for Indicators of Compromise (IoCs)
- Review connection logs and admin login history.
- Look for suspicious changes to configurations or unexplained log entries.
- If compromise is suspected, contact SonicWall Support immediately.
For complete details and technical guidance, refer to SonicWall’s official security advisory: SNWLID-2025-0014.
Critical Authentication Bypass in Mitel MiVoice MX-ONE
As an additional noteworthy development, Mitel Networks has issued patches for a critical vulnerability in its MiVoice MX-ONE enterprise communications platform. The flaw lies in the Provisioning Manager component and results from improper access control, allowing unauthenticated attackers to bypass authentication and potentially gain administrative access.
Impact and Affected Versions
The vulnerability affects MiVoice MX-ONE versions from 7.3 (7.3.0.0.50) up to 7.8 SP1 (7.8.1.0.14). It has been patched in:
- Version 7.8 (MXO-15711_78SP0)
- Version 7.8 SP1 (MXO-15711_78SP1)
The issue does not yet have a CVE identifier, but is considered critical due to the ease of exploitation and the potential impact. Mitel recommends that users:
- Refrain from exposing MX-ONE services directly to the public internet.
- Deploy MX-ONE only within trusted networks.
- Restrict access to the Provisioning Manager service.
Customers using versions from 7.3 onward should contact their authorized Mitel service partner to request the appropriate patch. Visit the official advisory for more information.

SOCRadar’s Attack Surface Management (ASM) module: Monitor assets and company vulnerabilities
Discover hidden risks in your environment ahead of attackers. SOCRadar Attack Surface Management (ASM) scans your external assets nonstop, spotting weak points, forgotten services, and risky exposures.

