Another bad week for SonicWall as SMA 1000 zero-day under active exploit

Steven

Another bad week for SonicWall as SMA 1000 zero-day under active exploit

Summary

SonicWall has warned of an actively exploited zero-day in its SMA 1000 Secure Mobile Access appliance management console (CVE-2025-40602). The flaw is caused by missing or insufficient authorization checks that allow authenticated users to escalate privileges. Attackers have been chaining this bug with an earlier patched SMA 1000 vulnerability (CVE-2025-23006) to achieve unauthenticated remote code execution with root privileges. SonicWall advises immediate application of hotfixes and restricting access to the Appliance Management Console to trusted networks. Researchers report hundreds of SMA 1000 devices visible on the public internet, increasing the pool of at-risk targets.

Key Points

  • CVE-2025-40602: authorization check failure in SMA 1000 appliance management console allowing privilege escalation.
  • Exploit chains CVE-2025-40602 with CVE-2025-23006 to achieve unauthenticated RCE and root access.
  • SonicWall recommends installing the latest hotfixes immediately and limiting management console access to trusted networks.
  • Researchers found hundreds of SMA 1000 units exposed on the internet, raising mass-exploitation risk.
  • This follows a year of high-profile SonicWall incidents, including a MySonicWall backup compromise that exposed customer configurations.

Context and Relevance

Remote-access appliances are attractive targets because compromising them gives attackers deep lateral movement opportunities. SonicWall has been repeatedly targeted in 2025, and this active zero-day — combined with previously exposed configuration backups — materially increases risk to organisations that still run internet-accessible SMA 1000 devices. The story underlines ongoing industry challenges: patching cadence, attack surface reduction, and securing management interfaces.

Why should I read this?

Short version: if you run an SMA 1000, stop whatever you’re doing and patch or isolate it now. Even if you don’t, it’s a quick heads-up on why exposed management consoles keep getting owned and how appliance compromises give attackers a fast route into corporate networks.

Author style

Punchy: this is a high-priority, actionable alert. The piece flags an active exploit that can give attackers root access when chained with a previous flaw. If you manage SonicWall kit or remote-access infrastructure, read the details and follow the mitigation steps immediately.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2025/12/18/sonicwall_sma_1000_0day/