SonicWall has released security updates of note for its Secure Mobile Access (SMA) 100 series appliances. These updates are meant to address the actively exploited vulnerability CVE-2025-40602. This vulnerability was discovered by Clément Lecigne and Zander Work from Google’s Threat Intelligence Group (GTIG). It includes local privilege escalation due to lack of authorization in the appliance management console (AMC). CVE-2025-40602 has a CVSS score of 6.6 making it a particularly exploitable and damaging vulnerability to users of the affected devices.
Specifically, the flaw impacts SonicWall SMA 100 series appliances. Specifically, it affects 12.4.3-03093 and earlier, as well as 12.5.0-02002 and earlier. We highly recommend that users take action on the fixes we provide in order to prevent outright attacks. The intended corrections are version 12.4.3-03245 for 12.4.3-03093, and version 12.5.0-02283 for 12.5.0-02002.
Nature of the Vulnerability
CVE-2025-40602 poses a significant risk to end-users as it allows for local privilege escalation. An unauthenticated attacker could use this vulnerability to obtain unauthorized access to sensitive functions within the SMA 100 appliances. It would open the door to even greater exploitation opportunities. The underlying problem is poor authorization controls in the appliance management console. Attackers can exploit these weaknesses to obtain elevated privileges.
Cybercriminals are already actively exploiting this vulnerability in the wild. They are going one step further and using it to spread their evil intentions and plans. The creation of these vulnerabilities serves as a reminder for all organizations to be continuously aware and ahead of the curve when it comes to cybersecurity.
Discovery and Response
This vulnerability was discovered by Clément Lecigne and Zander Work of GTIG. They are leading national efforts to improve security throughout technology ecosystems. Their discovery underscores that collaborative research and research-dedicated intelligence sharing is key to staying ahead of emerging threats.
In light of this major flaw, SonicWall has issued patches to help safeguard users from potential exploitation. The company recommends that all users of SMA 100 series appliances use these patches without delay. Taking these steps today will better protect your systems from tomorrow’s active threats.
Ongoing Threat Landscape
As an aside, Google is already hard at work fixing this particular vulnerability. In addition, they are tracking another cluster of activity, named UNC6148, which is ransomware targeting fully-patched, end-of-life SonicWall SMA 100 series devices. Through this campaign, we hope to prevent deployment of this backdoor OVERSTEP. It greatly worsens the security environment for any users who are impacted.
So far, nobody has publicly documented any attacks associated with CVE-2025-40602 on a large scale. We additionally have no data on who’s leading these efforts. All SonicWall SMA 100 series users should be alert to the risk of being infected. Now it’s time to make the essential updates and do so without hesitation.