CVE-2025-40601: SonicOS SSLVPN Buffer Overflow Leads to Firewall Crash Risk, Patch Available
SonicWall has disclosed a severe flaw affecting specific Gen7 and Gen8 firewalls. Identified as CVE-2025-40601, the issue is in the SonicOS SSLVPN service and allows a remote, unauthenticated attacker to trigger a crash and cause a Denial-of-Service (DoS) condition.
This blog explains what the vulnerability is, which products are affected, whether active exploitation has been observed, and what administrators should do next.
What Is CVE-2025-40601?
CVE-2025-40601 (CVSS 7.5) is a stack-based buffer overflow vulnerability (classified under CWE-121) located in the SonicOS SSLVPN service. The issue can be triggered without authentication, which means an attacker does not need user credentials to initiate an exploit attempt.
According to SonicWall, a successful attack can cause the firewall to crash, resulting in a Denial-of-Service (DoS). There is no indication that the flaw enables Remote Code Execution (RCE) or data exposure; its impact is limited to availability.
Quick details on CVE-2025-40601 (SOCRadar Vulnerability Intelligence)
The vulnerability receives a CVSS v3 score of 7.5, reflecting its network accessibility and low attack complexity. Importantly, it only affects systems where the SSLVPN interface or service is enabled.
Which SonicWall Devices Are Affected by CVE-2025-40601?
The vulnerability impacts both hardware and virtual firewalls across Gen7 and Gen8 product lines. Affected products include:
- Gen7 Hardware Firewalls: TZ270–TZ670 series, NSa 2700–6700, and NSsp 10700–15700
- Gen7 Virtual Firewalls (NSv): NSv270, NSv470, NSv870 across ESX, KVM, Hyper-V, AWS, and Azure
- Gen8 Hardware Firewalls: TZ80–TZ680 and NSa 2800–5800
Systems running Gen6, SMA 1000, and SMA 100 series are not affected.
Affected software versions include:
- Gen7: 7.3.0-7012 and older (7.0.1 branch unaffected)
- Gen8: 8.0.2-8011 and older
Has the Vulnerability Been Exploited?
As of the advisory’s initial publication, SonicWall’s PSIRT states that they are not aware of any active exploitation in the wild. No public Proof-of-Concept (PoC) exploit has surfaced, and no malicious activity related to the vulnerability has been reported.
While this reduces immediate risk, the public disclosure of the vulnerability means attempts will likely follow, especially given its pre-authentication attack surface. Applying patches remains the safest course of action.
What Versions Contain the Fix?
SonicWall has released updated firmware versions that address CVE-2025-40601:
- Gen7 devices: fixed in 7.3.1-7013 and later
- Gen8 devices: fixed in 8.0.3-8011 and later
Administrators should schedule upgrades as soon as possible and verify afterward that SSLVPN services run on patched builds.
Is There a Workaround Until Patching?
Yes. SonicWall recommends a temporary mitigation: Restrict SSLVPN access to trusted source IPs or disable SSLVPN from untrusted internet sources.
This can be done by adjusting SSLVPN access rules within SonicOS. The workaround reduces the attack surface significantly by preventing unknown external hosts from reaching the vulnerable service.
How Can SOCRadar Help?
Keeping track of newly disclosed vulnerabilities like CVE-2025-40601 can be challenging, especially when multiple products and version branches are involved. SOCRadar’s Cyber Threat Intelligence module helps your security team by:
- Providing real-time monitoring of newly published CVEs and vendor advisories
- Highlighting exploitability insights, threat actor chatter, and risk context
- Prioritizing vulnerabilities based on exposure, severity, and threat indicators
- Mapping affected assets through Attack Surface Management (ASM) to identify which systems in your environment require immediate patching
SOCRadar Cyber Threat Intelligence module, Vulnerability Intelligence
By combining vulnerability insights with external threat intelligence, SOCRadar enables your organization to respond faster and reduce the window of exposure.
