SonicWall Patches Exploited SMA1000 Zero-Day Used in Chained RCE Attack

SonicWall released a security update on December 17 addressing CVE-2025-40602, a privilege escalation vulnerability in the SMA1000 Appliance Management Console that attackers have been exploiting in the wild. The flaw is particularly dangerous because threat actors are chaining it with an older vulnerability to achieve unauthenticated remote code execution with root privileges.

TL;DR

• What happened: Attackers are actively exploiting CVE-2025-40602 in SonicWall SMA1000 appliances, chaining it with CVE-2025-23006 for full RCE
• Who's affected: Organizations using SonicWall SMA 1000 series appliances with internet-exposed management consoles
• Severity: Medium individually (CVSS 6.6), but Critical when chained - enables unauthenticated RCE with root
• Action required: Update to 12.4.3-03245 or 12.5.0-02283 immediately; restrict AMC access to trusted IPs

What is CVE-2025-40602?

CVE-2025-40602 is a local privilege escalation vulnerability in the SonicWall SMA1000 Appliance Management Console (AMC). The flaw stems from insufficient authorization checks that allow an authenticated attacker to escalate privileges beyond their assigned permissions.

On its own, this vulnerability carries a CVSS score of 6.6—medium severity. But attackers aren't using it in isolation.

How Are Attackers Chaining the Vulnerabilities?

Threat actors are combining CVE-2025-40602 with CVE-2025-23006, a deserialization vulnerability that SonicWall patched back in January 2025. CVE-2025-23006 carries a CVSS score of 9.8 and allows unauthenticated attackers to execute code, but with limited privileges.

By chaining the two vulnerabilities together, attackers achieve what neither vulnerability provides alone: unauthenticated remote code execution with root privileges. The January flaw gets them onto the system, and the December flaw elevates their access to complete control.

This attack pattern highlights why organizations can't deprioritize "medium severity" vulnerabilities. In combination with other flaws, they can become far more dangerous than their individual scores suggest.

Who Discovered This Vulnerability?

Google's Threat Intelligence Group (GTIG) researchers Clément Lecigne and Zander Work discovered CVE-2025-40602 and reported it to SonicWall. Google's involvement in the discovery suggests the vulnerability was found during investigation of active threat activity—researchers often identify new flaws while analyzing exploitation of existing ones.

CISA added CVE-2025-40602 to its Known Exploited Vulnerabilities catalog, setting a December 24, 2025 deadline for federal agencies to apply patches.

Which Products Are Affected?

The vulnerability affects only SonicWall SMA 1000 series appliances. Other SonicWall firewall products and the SSL VPN functionality are not impacted.

SonicWall released fixes in the following versions:

• 12.4.3-03245 (platform-hotfix) for the 12.4.3 firmware train
• 12.5.0-02283 (platform-hotfix) for the 12.5.0 firmware train

Organizations should update to these versions or later releases that incorporate the fixes.

Recommended Mitigations

1. Apply the patch immediately - Update to the fixed firmware versions for your appliance
2. Restrict AMC access - Limit Appliance Management Console connections to VPN or specific administrator IP addresses
3. Disable public-facing management - Remove SSL VPN management interface (AMC) and SSH access from internet-facing configurations
4. Verify January patches applied - Confirm CVE-2025-23006 was addressed; the chain attack requires both vulnerabilities
5. Monitor for compromise - Review logs for unusual administrative access or unexpected privilege usage

How Many Devices Are Exposed?

Security researchers tracking exposed SonicWall devices report hundreds of SMA 1000 units visible on the public internet. While the total number is smaller than some other appliance categories, the devices serve sensitive remote access functions that make them high-value targets.

Organizations exposing management interfaces to the internet—rather than restricting access to internal networks or VPN connections—face the greatest risk from this vulnerability chain.

Why This Matters

SonicWall isn't the only vendor dealing with actively exploited edge device vulnerabilities this month. WatchGuard, Fortinet, and Cisco have all disclosed flaws under active attack. The pattern suggests a coordinated effort by threat actors to target network perimeter devices across multiple vendors.

Edge security appliances present attractive targets because they:

• Often have internet-facing services by design
• Handle authentication and access control
• Provide potential pivot points into internal networks
• Sometimes lag behind in patching due to change management processes

The chained exploitation technique also demonstrates attacker sophistication. Combining a January patch with a December zero-day requires tracking vendor security updates and identifying opportunities to pair vulnerabilities for maximum impact.

Frequently Asked Questions

How do I check if my SonicWall SMA1000 is vulnerable?

Log into your appliance and check the firmware version. If you're running anything older than 12.4.3-03245 (for the 12.4.x train) or 12.5.0-02283 (for the 12.5.x train), you're vulnerable to CVE-2025-40602. Also verify you applied the January patch for CVE-2025-23006.

What should I do first?

Apply the December patch immediately. While you're at it, confirm that the January patch for CVE-2025-23006 was installed—without it, attackers can use the older vulnerability as the first stage of the chain attack.

Does this affect my SonicWall firewall?

No. CVE-2025-40602 only affects SMA 1000 series appliances. SonicWall firewall products and the SMA 100 series use different code and are not vulnerable to this specific flaw.