The chained zero-day exploit against SonicWall SMA1000 appliances (CVE-2025-40602 & CVE-2025-23006) enables unauthenticated RCE as root via exposed management consoles.  

Immediate patching, exposure reduction, monitoring, and response preparedness are critical to prevent full system compromise. 

Primary Vulnerability (CVE-2025-40602): A medium-severity local privilege escalation in the SonicWall SMA1000 Appliance Management Console (AMC). Reported by Google Threat Intelligence researchers ClémentLecigne and ZanderWork. This flaw alone doesn’t impact SSL-VPN services.  

Exploitation Chain: Attackers combine CVE-2025-40602 with CVE-2025-23006, a critical pre-authentication deserialization vulnerability (CVSS: 9.8), to achieve unauthenticated remote code execution at root level.  

Exploit: 

Attack Vector: Exploitation targets SMA1000 appliances with the AMC interface exposed to the internet.  

  • Severity: High risk — unauthenticated RCE at root level leads to full system compromise. 

Impact: Successful chaining allows attackers to run arbitrary OS commands as root— granting full system control.  

Scale: Shadowserver has identified over 950 internet-exposed SMA1000 appliances; unpatched instances remain viable targets. 

 

Affected Systems: 

 Product: SonicWall SMA1000 secure remote access appliances.  

 Components: Vulnerability lies in the Appliance Management Console.  

 Note: This issue does not affect SonicWall SSL-VPN running on firewall devices. 

 

Recommendation And Mitigations: 

  • Apply Patch: Apply the latest hotfix to SMA1000 appliances immediately. SonicWall strongly advises users to upgrade to the version containing the patch. 
  • Review Exposure: Identify all appliances reachable from the internet or untrusted networks. 
  • Monitor Continuously: Maintain high-fidelity logging and alerting on AMC activities. 

Copy of Trends image

 

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.     

 

Contact Us