CVE-2025-40602

What is SonicWall SMA1000?

SonicWall Secure Mobile Access (SMA) 1000 Series is an enterprise SSL VPN and remote access appliance providing secure connectivity for remote workers to on-premises resources. The Appliance Management Console (AMC) is its web-based administrative interface for configuration, user management, and policy control. SonicWall SMA appliances sit at the network perimeter with privileged access to internal networks, making them high-value targets for state-sponsored and ransomware threat actors who exploit them as initial access points. SonicWall SMA devices have been repeatedly targeted since at least 2021, including by ransomware groups and China-nexus APTs.

Overview

CVE-2025-40602 is a missing authorization vulnerability in the SonicWall SMA1000 Appliance Management Console that allows a high-privileged authenticated attacker to escalate to root-level access on the device. The CVSS base score of 6.6 understates the real-world risk: this vulnerability was actively exploited as a zero-day and was added to the CISA KEV catalog on the same day SonicWall released the patch — a rare concurrent disclosure indicating in-progress nation-state exploitation. It was discovered by Google Threat Intelligence Group researchers Clément Lecigne and Zander Work.

The vulnerability is most critical when chained with CVE-2025-23006 (a pre-authentication remote code execution flaw in the same product, patched February 2025): CVE-2025-23006 provides unauthenticated initial code execution as a low-privilege user, and CVE-2025-40602 then escalates that foothold to root. The combination enables full unauthenticated root compromise of internet-exposed SMA1000 appliances.

Affected Versions

Appliances already patched for CVE-2025-23006 but running firmware below these hotfix versions remain vulnerable to the privilege escalation.

Technical Details

CWE-250 (Execution with Unnecessary Privileges). Certain operations within the SMA1000 Appliance Management Console execute system commands or process requests without adequately validating the privilege level of the requesting user. A high-privileged AMC user (below root) can submit crafted requests that trigger these operations, effectively executing actions as root.

Standalone, the CVSS vector (AV:N/AC:H/PR:H) reflects that exploitation requires existing high-level credentials and high complexity. In the chain scenario with CVE-2025-23006:

1. CVE-2025-23006 (CVSS 9.8, pre-auth OS command injection in SMA1000 web management) provides an unauthenticated shell session as a low-privilege user.
2. CVE-2025-40602 escalates that session to root via the AMC authorization flaw.

The combined chain bypasses the CVSS constraints of both individual vulnerabilities and yields unauthenticated root-level remote code execution.

Discovery

Discovered by Clément Lecigne and Zander Work of Google Threat Intelligence Group (GTIG), a team known for identifying zero-day exploitation by nation-state and commercial spyware operators. SonicWall credited them in the advisory. GTIG's involvement, combined with the same-day KEV addition, is consistent with discovery during active threat actor campaign monitoring.

Exploitation Context

Confirmed zero-day exploitation prior to patch release on December 17, 2025. CISA added CVE-2025-40602 to the KEV catalog concurrently with the patch release, setting a seven-day federal remediation deadline of December 24, 2025. SonicWall urged all customers to check for signs of compromise on internet-accessible SMA1000 instances in addition to applying the hotfix. No specific threat actor or campaign was publicly named at disclosure, but Google GTIG's discovery pattern is consistent with nation-state-grade tooling.

Shodan-indexed SMA1000 AMC interfaces number in the thousands globally, concentrated in enterprise and government networks across North America, Europe, and Asia-Pacific.

Remediation

1. Apply the platform hotfix: 12.4.3-03245 or 12.5.0-02283 (see SonicWall advisory for the applicable version for your branch).
2. Also verify that CVE-2025-23006 (the pre-auth RCE patched February 2025) is addressed — appliances must be patched for both to close the full attack chain.
3. After patching, conduct a compromise assessment: review AMC access logs, system logs, and running processes for signs of unauthorized access or persistence mechanisms (unexpected cron jobs, modified binaries, unfamiliar accounts).
4. Restrict AMC network access to trusted management IP ranges; the AMC should not be internet-accessible.
5. Rotate all administrative credentials for the AMC after patching if exploitation cannot be ruled out.
6. Monitor for SonicWall PSIRT advisories and apply future hotfixes promptly — the SMA1000 has a history of critical vulnerabilities.