Skip to content
Contact us

Critical Vulnerabilities in SonicWall SMA 100 Series Appliances

Picture of The 1898 & Co. Team

Recent developments have highlighted critical vulnerabilities in SonicWall's Secure Mobile Access (SMA) 100 series appliances, with active exploitation reported. The primary vulnerability, CVE-2025-40602, involves local privilege escalation due to insufficient authorization in the appliance management console. This flaw, with a CVSS score of 6.6, has been actively exploited in the wild. SonicWall has released patches to address this issue, urging users to update their systems promptly.

The vulnerability CVE-2025-40602 is particularly concerning as it can be combined with another severe vulnerability, CVE-2025-23006, which allows unauthenticated remote code execution with root privileges. This combination poses a significant threat to affected systems. CVE-2025-23006 was previously patched in January 2025, but the recent exploitation of CVE-2025-40602 underscores the need for immediate action.

Google's Threat Intelligence Group has been tracking a campaign targeting end-of-life SonicWall SMA 100 series devices, potentially linked to a backdoor named OVERSTEP. While the connection between these activities and the current vulnerabilities remains unclear, the active exploitation of these flaws necessitates urgent attention from all users of the affected systems.

Threats and Vulnerabilities

CVE-2025-40602 is a local privilege escalation vulnerability affecting SonicWall SMA 100 series appliances. It arises from insufficient authorization checks in the appliance management console, allowing attackers to gain elevated privileges. This vulnerability has been actively exploited, highlighting its potential impact on system security.

CVE-2025-23006 is a critical vulnerability that enables unauthenticated remote code execution with root privileges. When combined with CVE-2025-40602, it poses a severe risk to affected systems, allowing attackers to execute arbitrary code remotely. This vulnerability was patched earlier in 2025, but its combination with CVE-2025-40602 increases the threat level.

The campaign tracked by Google's Threat Intelligence Group involves targeting fully-patched end-of-life SonicWall SMA 100 series devices. The attackers aim to deploy a backdoor called OVERSTEP, although the relationship between this campaign and the current vulnerabilities is not yet confirmed. The ongoing exploitation of these vulnerabilities highlights the need for vigilance and prompt patching.

Client Impact

Clients using SonicWall SMA 100 series appliances are at risk of operational disruptions due to potential unauthorized access and control over their systems. The exploitation of these vulnerabilities could lead to data breaches, resulting in data loss and financial consequences. Additionally, organizations may face reputational damage if sensitive information is compromised.

From a compliance perspective, failure to address these vulnerabilities could result in regulatory challenges and audits. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated that Federal Civilian Executive Branch agencies apply the necessary fixes by December 24, 2025. Non-compliance could lead to penalties and increased scrutiny from regulatory bodies.

Mitigations

To mitigate the risks associated with these vulnerabilities, clients should take the following actions:

  1. Apply the latest patches provided by SonicWall for SMA 100 series appliances immediately to address CVE-2025-40602 and CVE-2025-23006.
  2. Conduct a thorough review of network configurations and access controls to ensure only authorized users have access to critical systems.
  3. Implement robust monitoring and logging practices to detect any unusual activity or unauthorized access attempts.
  4. Educate employees about phishing attacks and social engineering tactics that could be used to exploit these vulnerabilities.
  5. Consider deploying additional security measures such as intrusion detection systems (IDS) and endpoint protection solutions.

By taking these steps, clients can significantly reduce their exposure to these vulnerabilities and enhance their overall security posture. It is crucial to remain vigilant and proactive in applying security updates and monitoring for potential threats.

1898 & Co. Response

1898 & Co. is actively addressing the current threat landscape by offering specialized services to help clients secure their SonicWall SMA 100 series appliances. Our team is focused on providing tailored solutions that address these specific vulnerabilities and enhance overall network security.

We are updating our security protocols and practices to incorporate the latest threat intelligence and mitigation strategies. Our collaborative efforts with industry allies and government agencies ensure that we stay ahead of emerging threats and provide our clients with the most effective security measures.

Our ongoing research and threat intelligence gathering activities enable us to offer clients timely insights into potential risks and vulnerabilities. We have successfully assisted numerous organizations in mitigating similar threats, demonstrating our capability to deliver effective security solutions.

Sources

    1. SonicWall Security Advisory on CVE-2025-40602

Critical Vulnerabilities in SonicWall SMA 100 Series Appliances