SonicWall Wednesday disclosed a zero-day vulnerability impacting its SMA1000 access platform that is under active exploitation via chained attacks.
CVE-2025-40602 is a medium-severity local privilege escalation vulnerability in SonicWall’s SMA1000 appliance management console (AMC). The flaw, which received a 6.6 CVSS score, stems from insufficient authorization in the AMC, according to SonicWall’s advisory.
The vendor said the zero-day vulnerability has reportedly been exploited in the wild in chain attacks with an older critical flaw, CVE-2025-23006. The critical vulnerability, which also affects SMA100 devices, came under zero-day attacks in January.
“The only known exploitation paths for CVE-2025-40602 (CVSS 6.6) require either that CVE-2025-23006 (CVSS 9.8) remains unpatched, or that the threat actor already possesses access to a local system account,” SonicWall said in its advisory.
Mitigating CVE-2025-23006
The scope and source of the attacks on CVE-2025-40602 is unclear. SonicWall’s advisory does not include information on the exploitation activity. Dark Reading contacted SonicWall for comment on the activity and, while the vendor responded with a statement, it did not comment directly on the attacks.
Researchers Clément Lecigne and Zander Work of Google’s Threat Intelligence Group were credited with the discovery of CVE-2025-40602.
SonicWall strongly advised customers to apply the hotfixes for vulnerability, which are included in version 12.4.3-03245 and higher, and version 12.5.0-02283 and higher. Additional mitigations include restricting access to the AMC with SSH access only through a VPN or specific administrator IP address, or disabling the SSL VPN management interface in AMC and SSH access from the public Internet.
“If CVE-2025-23006 has not been patched, the system is already exposed to a critical vulnerability. In this scenario, chaining CVE-2025-40602 does not materially increase the overall risk or attack surface,” SonicWall said.
The attacks on CVE-2025-40602 aren’t the worst threats to SonicWall customers this year. In October, the vendor acknowledged that threat actors breached a cloud backup service and obtained the firewall configuration data of all customers using the service. Over the summer, customers were hit with a wave of attacks by the Akira ransomware gang. While researchers initially suspected the attacks stemmed from a new zero-day flaw under exploitation, SonicWall later confirmed that ransomware actors were exploiting an older vulnerability, CVE-2024-40766, affecting firewall devices.
