SonicWall has rolled out fixes to address a security flaw in Secure Mobile Access (SMA) 100 series appliances that it said has been actively exploited in the wild.
The vulnerability, tracked as CVE-2025-40602 (CVSS score: 6.6), concerns a case of local privilege escalation that arises as a result of insufficient authorization in the appliance management console (AMC).
It affects the following versions –
- 12.4.3-03093 (platform-hotfix) and earlier versions – Fixed in 12.4.3-03245 (platform-hotfix)
- 12.5.0-02002 (platform-hotfix) and earlier versions – Fixed in 12.5.0-02283 (platform-hotfix)
“This vulnerability was reported to be leveraged in combination with CVE-2025-23006 (CVSS score 9.8) to achieve unauthenticated remote code execution with root privileges,” SonicWall said.
It’s worth noting that CVE-2025-23006 was patched by the company in late January 2025 in version 12.4.3-02854 (platform-hotfix).
Clément Lecigne and Zander Work of Google Threat Intelligence Group (GTIG) have been credited with discovering and reporting CVE-2025-40602. There are currently no details on the scale of the attacks and who is behind the efforts.
Back in July, Google said it’s tracking a cluster named UNC6148 that’s targeting fully-patched end-of-life SonicWall SMA 100 series devices as part of a campaign designed to drop a backdoor called OVERSTEP. It’s currently not clear if these activities are related.
In light of active exploitation, it’s essential that SonicWall SMA 100 series users apply the fixes as soon as possible.
Update
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-40602 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by December 24, 2025, to secure their networks.
