SonicWall has warned customers of a zero-day flaw in its SMA 1000 remote-access appliance that’s being actively exploited, potentially allowing attackers to escalate privileges and take over boxes.
The bug, tracked as CVE-2025-40602, resides in the appliance management console of SonicWall’s Secure Mobile Access (SMA) 1000 series and stems from missing or insufficient authorization checks that let authenticated attackers elevate their privileges.
SonicWall’s advisory says the vulnerability has been chained with another SMA 1000 flaw patched earlier this year (CVE-2025-23006) to enable unauthenticated remote code execution with root rights – a particularly nasty combo when weaponized in the wild.
SonicWall’s official notice, published this week, says users should update to the latest hotfix versions immediately and restrict access to the Appliance Management Console to trusted networks. The vendor’s PSIRT team says the issue affects only SMA 1000 appliances and does not impact other SonicWall firewall products or SSL VPN functions, but the fact that attackers have already begun exploiting the flaw underscores how exposed remote-access infrastructure remains.
Researchers tracking exposed devices report hundreds of SMA 1000 units visible on the open internet, meaning a large pool of potentially vulnerable targets if patches aren’t applied quickly.
- Corporate predators get more than they bargain for when their prey runs SonicWall firewalls
- SonicWall fingers state-backed cyber crew for September firewall breach
- SonicWall breach hits every cloud backup customer after 5% claim goes up in smoke
- SonicWall releases rootkit-busting firmware update following wave of attacks
SonicWall has been a frequent target for cybercrime crews in 2025. In September, the vendor disclosed a breach of its MySonicWall cloud backup service, where a