SonicWall has patched a local privilege escalation vulnerability (CVE-2025-40602) in its Secure Mobile Access 1000 appliances, affecting large enterprises that use the devices to provide secure access to applications. The company is urging customers to apply the provided hotfix to prevent exploitation by attackers.
The vulnerability was reported to be used in combination with another zero-day vulnerability (CVE-2025-23006), allowing for unauthenticated remote code execution with root privileges. SonicWall acknowledged that the vulnerability was reported by Google’s Threat Intelligence Group, but details about the attacks have not been shared.
To mitigate CVE-2025-40602, organizations should upgrade to a fixed version of the software (12.4.3-03245 or later) and restrict access to the Appliance Management Console (AMC) to specific admin IPs. Additionally, disabling SSL VPN management interface (AMC) and SSH access from the public internet can help protect against exploitation of these vulnerabilities.
Note: If the SMA 1000 appliance is patched for CVE-2025-23006, a threat actor would need to find another way to access a local system user account to exploit CVE-2025-40602. However, implementing security updates referred to in the latest advisory can still mitigate this vulnerability.
This article has been updated with the latest information on SonicWall’s patch for CVE-2025-40602 and provides guidance on how organizations can protect themselves against exploitation of this vulnerability.
Source: https://www.helpnetsecurity.com/2025/12/17/sonicwall-cve-2025-40602