Hackers Actively Exploit SonicWall SMA1000 Zero-Day to Escalate Privileges
SonicWall has released an urgent security advisory regarding the active exploitation of a local privilege escalation vulnerability affecting its SMA1000 appliances, which allows attackers with management console access to gain elevated privileges and potentially achieve complete system control.
This vulnerability, tracked as CVE-2025-40602, is caused by insufficient authorization checks in the SonicWall SMA1000 Appliance Management Console (AMC) and can be exploited to gain elevated privileges.
The following table summarizes the key details of the vulnerability:
| Field | Value |
|---|---|
| Vulnerability Name | SonicWall SMA1000 Local Privilege Escalation |
| CVE ID | CVE-2025-40602 |
| Advisory ID | SNWLID-2025-0019 |
| CVSS Score | 6.6 (Medium) |
Researchers from Google Threat Intelligence Group have discovered that this vulnerability can be chained with another critical vulnerability, CVE-2025-23006, to achieve unauthenticated remote code execution with root-level privileges, posing a significant risk to organizations relying on SonicWall’s remote access infrastructure.
The vulnerability affects SMA1000 devices running platform-hotfix versions 12.4.3-03093 and earlier, as well as 12.5.0-02002 and earlier. However, SonicWall has clarified that this flaw does not impact SSL-VPN functionality on standalone firewalls, limiting exposure but still presenting substantial risk to SMA1000 appliance users.
Threat actors are actively exploiting CVE-2025-40602 in combination with CVE-2025-23006, which has a CVSS score of 9.8. The previous flaw was remedied in build version 12.4.3-02854, released January 22, 2025.
SonicWall has released patched versions to address the vulnerability, and organizations must upgrade to platform-hotfix 12.4.3-03245 or higher, or 12.5.0-02283 or higher to obtain protection. The security patches are available through mysonicwall.com for registered users. For more information, please visit the SonicWall PSIRT website.
Until patching is completed, SonicWall recommends implementing strict access controls on the Appliance Management Console, restricting SSH access exclusively to company VPN connections or designated administrative IP addresses, and disabling public internet access to the AMC and SSH services as a temporary mitigation measure.
SonicWall PSIRT urges all SMA1000 users to prioritize upgrading to the latest hotfix release immediately, given the active exploitation and critical nature of the vulnerability when combined with CVE-2025-23006.
Organizations face urgent pressure to deploy fixes across their infrastructure to prevent potential attacks and ensure the security of their SMA1000 appliances.