SonicWall Patches Exploited SMA 100 Flaw CVE-2025-40602

SonicWall has released urgent fixes for a Secure Mobile Access (SMA) 100 series vulnerability actively exploited in the wild: CVE-2025-40602 (CVSS 6.6).

What’s the issue

• A local privilege escalation caused by insufficient authorization in the Appliance Management Console (AMC)
• Attackers have reportedly chained this bug with CVE-2025-23006 (CVSS 9.8) to achieve unauthenticated remote code execution with root privileges

Affected and fixed versions

• 12.4.3-03093 (platform-hotfix) and earlier → fixed in 12.4.3-03245 (platform-hotfix)
• 12.5.0-02002 (platform-hotfix) and earlier → fixed in 12.5.0-02283 (platform-hotfix)

Related vulnerability

• CVE-2025-23006 was previously patched in late January 2025 in version 12.4.3-02854 (platform-hotfix)

Who found it

• Discovered and reported by Clément Lecigne and Zander Work of Google Threat Intelligence Group (GTIG)
• Details on attack scale and attribution are not yet public

Context to watch

• In July, Google flagged a cluster dubbed UNC6148 targeting fully patched, end-of-life SMA 100 devices to deploy a backdoor called OVERSTEP; any link to the current exploitation remains unclear

What to do now

• Patch immediately to the fixed builds listed above
• Ensure you’ve also applied the January 2025 fix for CVE-2025-23006 (12.4.3-02854)
• Limit and monitor access to the AMC; review admin roles and logs for suspicious activity
• Follow CISA guidance: CVE-2025-40602 is now in the KEV catalog, requiring FCEB agencies to apply fixes by December 24, 2025

Bottom line
Due to active exploitation and the potential for chaining to achieve root-level RCE, SMA 100 administrators should update without delay and tighten management console access.

Source: The Hacker News