The chained zero-day exploit against SonicWall SMA1000 appliances (CVE-2025-40602 & CVE-2025-23006) enables unauthenticated RCE as root via exposed management consoles.
Immediate patching, exposure reduction, monitoring, and response preparedness are critical to prevent full system compromise.
Primary Vulnerability (CVE-2025-40602): A medium-severity local privilege escalation in the SonicWall SMA1000 Appliance Management Console (AMC). Reported by Google Threat Intelligence researchers Clément Lecigne and Zander Work. This flaw alone doesn’t impact SSL-VPN services.
Exploitation Chain: Attackers combine CVE-2025-40602 with CVE-2025-23006, a critical pre-authentication deserialization vulnerability (CVSS: 9.8), to achieve unauthenticated remote code execution at root level.
Attack Vector: Exploitation targets SMA1000 appliances with the AMC interface exposed to the internet.
Impact: Successful chaining allows attackers to run arbitrary OS commands as root— granting full system control.
Scale: Shadowserver has identified over 950 internet-exposed SMA1000 appliances; unpatched instances remain viable targets.
Product: SonicWall SMA1000 secure remote access appliances.
Components: Vulnerability lies in the Appliance Management Console.
Note: This issue does not affect SonicWall SSL-VPN running on firewall devices.
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.