SonicWall Edge Access Devices Hit by Zero-Day Attacks

Steven

SonicWall Edge Access Devices Hit by Zero-Day Attacks

Summary

SonicWall disclosed a newly discovered zero-day, CVE-2025-40602, affecting the SMA1000 appliance management console (AMC). It is a medium-severity local privilege escalation (CVSS 6.6) that has been observed in chained attacks paired with an earlier critical vulnerability, CVE-2025-23006 (CVSS 9.8). SonicWall says exploitation of the new flaw requires either the older critical flaw to be unpatched or that an attacker already has local system access.

The vendor has released hotfixes (included in 12.4.3-03245 and later, and 12.5.0-02283 and later) and recommends access restrictions (VPN-only SSH, restrict admin IPs, disable SSL VPN AMC from the public Internet) as additional mitigations. Google TAG researchers Clément Lecigne and Zander Work are credited with discovering CVE-2025-40602.

Key Points

  • CVE-2025-40602 is a medium-severity local privilege escalation in SonicWall SMA1000 AMC (CVSS 6.6).
  • Known attacks chain CVE-2025-40602 with an older critical flaw, CVE-2025-23006 (CVSS 9.8); exploitation paths require the older flaw to be unpatched or prior local access.
  • SonicWall provides hotfixes in versions 12.4.3-03245+ and 12.5.0-02283+; apply immediately where relevant.
  • Practical mitigations: restrict AMC access to VPN or specific admin IPs, disable SSL VPN management interface from the public Internet, and limit SSH exposure.
  • This incident follows other SonicWall incidents in 2025 (cloud backup breach and Akira ransomware activity exploiting earlier CVEs), underlining ongoing targeted activity against the vendor.

Context and Relevance

This is a significant operational security alert for organisations using SonicWall SMA1000/SMA100 appliances. The chaining behaviour — combining a medium local escalation with an unpatched critical remote flaw — is a common attacker pattern that amplifies risk. The disclosure and hotfixes come amid a year of repeated SonicWall-related compromises, so defenders should treat this as part of a sustained threat campaign rather than an isolated bug.

Author style

Punchy: If you run SonicWall SMA devices, this isn’t optional reading — it’s immediate triage. Patch, tighten access, and verify backups and logs. The details matter because attackers are chaining flaws to escalate impact.

Why should I read this

Quick heads-up: if SonicWall sits at the edge of your network, this affects you. The write-up tells you what the flaw is, why attackers are chaining it, and exactly which hotfix versions to look for. Saves you time so you can patch and lock things down before someone else does the testing for you.

Source

Source: https://www.darkreading.com/vulnerabilities-threats/sonicwall-edge-devices-zero-day-attacks