SonicWall has released fixes for a security flaw in its Secure Mobile Access (SMA) 100 series appliances that the company said has been actively exploited. The vulnerability is tracked as CVE-2025-40602 and carries a CVSS score of 6.6. SonicWall posted technical and mitigation details on its PSIRT portal.
The flaw is a local privilege escalation arising from insufficient authorization in the appliance management console (AMC). Affected builds include 12.4.3-03093 (platform-hotfix) and earlier, which are fixed in 12.4.3-03245 (platform-hotfix), and 12.5.0-02002 (platform-hotfix) and earlier, which are fixed in 12.5.0-02283 (platform-hotfix).
SonicWall said the vulnerability was reported to be leveraged in combination with CVE-2025-23006 (CVSS score 9.8) to achieve unauthenticated remote code execution with root privileges. CVE-2025-23006 was patched in late January 2025 in version 12.4.3-02854 (platform-hotfix), the company added.
Clément Lecigne and Zander Work of Google Threat Intelligence Group are credited with discovering and reporting CVE-2025-40602. There are no public details available on the scale of the attacks or the identities of those responsible. In July, Google reported tracking a cluster named UNC6148 targeting end-of-life SMA 100 series devices to deploy a backdoor called OVERSTEP; it is not clear whether those activities are related to the current exploitation.
SonicWall SMA 100 series users are advised to apply the provided fixes as soon as possible.