SonicWall has published fixes to address security flaws in its Secure Mobile Access (SMA) 100 Series appliances. This flaw is reportedly being exploited in the wild.
Vulnerabilities are tracked as follows CVE-2025-40602 (CVSS score: 6.6), regarding a case of local privilege escalation that occurs as a result of insufficient authentication in the Appliance Management Console (AMC).
Affects the following versions:
- 12.4.3-03093 (Platform Hotfix) and earlier versions – Fixed in 12.4.3-03245 (Platform Hotfix)
- 12.5.0-02002 (Platform Hotfix) and earlier – Fixed in 12.5.0-02283 (Platform Hotfix)
“This vulnerability has been reported to be exploited in conjunction with CVE-2025-23006 (CVSS score 9.8) to allow unauthorized remote code execution with root privileges,” SonicWall said.
It is worth noting that CVE-2025-23006 was patched by the company in version 12.4.3-02854 (platform hotfix) in late January 2025.
CVE-2025-40602 was discovered and reported by Clément Lecigne and Zander Work of the Google Threat Intelligence Group (GTIG). At this time, details about the scale of the attack and who is behind it are unknown.
Back in July, Google announced that it was tracking a cluster named UNC6148 targeting fully patched end-of-life SonicWall SMA 100 series devices as part of a campaign aimed at dropping a backdoor called OVERSTEP. It is currently unknown whether these activities are related.
Given the active exploitation, it is important for SonicWall SMA 100 series users to apply the fix as soon as possible.
