SonicWall has released security updates to address an actively exploited vulnerability affecting its Secure Mobile Access SMA 100 series appliances. The company confirmed that the flaw has been observed in real world attacks, prompting an urgent call for customers to apply the available fixes.
The issue, tracked as CVE-2025-40602 with a CVSS score of 6.6, is a local privilege escalation vulnerability caused by insufficient authorization controls within the Appliance Management Console. If successfully exploited, the flaw allows an authenticated local attacker to elevate privileges on the affected system.
According to SonicWall, the vulnerability impacts the following software versions. Version 12.4.3 03093 and earlier have been fixed in version 12.4.3 03245, while version 12.5.0 02002 and earlier are addressed in version 12.5.0 02283.
The company stated that CVE-2025-40602 has been exploited in combination with another critical flaw, CVE-2025-23006, which carries a CVSS score of 9.8. When chained together, the two vulnerabilities enable unauthenticated remote code execution with root level privileges. SonicWall had already patched CVE-2025-23006 in late January 2025 with the release of version 12.4.3 02854.
The discovery and responsible disclosure of CVE 2025 40602 have been credited to Clément Lecigne and Zander Work from the Google Threat Intelligence Group. At this time, there is no public information regarding the scope of the exploitation or the identity of the threat actors involved.
Earlier in July, Google reported tracking a threat cluster known as UNC6148. This group was observed targeting fully patched but end of life SonicWall SMA 100 devices in a campaign designed to deploy a backdoor named OVERSTEP. It remains unclear whether the newly disclosed exploitation activity is directly connected to that campaign.
Given the confirmation of active exploitation, SonicWall has strongly advised all SMA 100 series users to update their systems immediately. Applying the latest hotfixes is critical to reducing the risk of compromise and preventing attackers from gaining elevated access to vulnerable appliances.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
