SonicWall Fixes Actively Exploited CVE-2025-40602 in SMA 100 Appliances

SonicWall Fixes Actively Exploited CVE-2025-40602 in SMA 100 Appliances

SonicWall released patches for CVE-2025-40602, a local privilege escalation vulnerability in its SMA 100 series appliances, which is currently being exploited in the wild. The vulnerability, with a CVSS score of 6.6, stems from insufficient authorization checks within the appliance management console.

Why This Matters

Ideal security models assume timely patching, but real-world deployments often lag, creating windows for attackers. Unpatched vulnerabilities in network appliances like VPN gateways are prime targets, as compromise can lead to widespread network breaches and data exfiltration; the cost of a successful attack can easily reach millions of dollars.

Key Insights

• CVE-2025-40602 & CVE-2025-23006: Exploitation of CVE-2025-40602 is often chained with CVE-2025-23006 (CVSS 9.8) for unauthenticated remote code execution.
• Threat Actor UNC6148: Google Threat Intelligence Group (GTIG) is tracking UNC6148, a cluster targeting end-of-life SonicWall SMA 100 devices with the OVERSTEP backdoor, 2025.
• CISA KEV Directive: CISA added CVE-2025-40602 to its KEV catalog, mandating FCEB agencies remediate by December 24, 2025.

Practical Applications

• Use Case: Organizations using SonicWall SMA 100 series appliances must immediately apply the provided patches to prevent potential compromise.
• Pitfall: Relying on network segmentation as a sole mitigation strategy is insufficient; attackers gaining root access can often bypass internal controls.

References:

• https://thehackernews.com/2025/12/sonicwall-fixes-actively-exploited-cve.html