Threat actors are actively exploiting a privilege escalation vulnerability affecting SonicWall Secure Mobile Access (SMA) 1000 series appliances. The vulnerability, tracked as CVE-2025-40602, stems from insufficient authorization checks within the Appliance Management Console (AMC).
The issue has been confirmed as exploited in real-world attacks and has been leveraged as part of a broader exploitation chain targeting exposed SMA appliances.
Impact
When exploited, CVE-2025-40602 allows an authenticated user to escalate privileges on the SMA appliance. SonicWall has confirmed that attackers have chained this vulnerability with a previously disclosed flaw (CVE-2025-23006) to achieve unauthenticated remote code execution with root privileges. The vulnerability has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
This exploitation chain significantly elevates risk, as successful compromise may result in: full administrative control of the appliance and exposure of sensitive configuration data.
Affected Technologies
The vulnerability impacts only the following product line: SonicWall Secure Mobile Access (SMA) 1000 series
Other SonicWall firewall products are not affected.
Affected versions:
- 12.4.3-03093 and earlier, fixed in 12.4.3-03245
- 12.5.0-02002 and earlier, fixed in 12.5.0-02283
Mitigation Guidance
Organizations operating SonicWall SMA 1000 appliances should take the following actions as a priority:
- Apply SonicWall platform hotfixes and upgrade to fixed firmware versions immediately
- Restrict access to the Appliance Management Console to trusted IP ranges or dedicated management networks
- Review administrative access logs for anomalous logins or privilege changes
- If compromise is suspected, isolate the affected appliance, rotate credentials, and initiate incident response procedures
Stay Safe. Stay Secure
OP Innovate Research Team
