CVE-2025-40599
published 2025-07-23CVE-2025-40599: An authenticated arbitrary file upload vulnerability exists in the SMA 100 series web management interface. A remote attacker with administrative privileges…
PriorityP266critical9.1CVSS 3.1
AVNACLPRHUINSCCHIHAH
EPSS
11.63%
95.5th percentile
An authenticated arbitrary file upload vulnerability exists in the SMA 100 series web management interface. A remote attacker with administrative privileges can exploit this flaw to upload arbitrary files to the system, potentially leading to remote code execution.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sonicwall | sma_100_series | — | — |
| sonicwall | sma_210_firmware | < 10.2.2.1-90sv | 10.2.2.1-90sv |
| sonicwall | sma_410_firmware | < 10.2.2.1-90sv | 10.2.2.1-90sv |
| sonicwall | sma_500v_firmware | < 10.2.2.1-90sv | 10.2.2.1-90sv |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor SMA 100 series web management interface for unauthorized file upload activity, particularly by accounts with administrative privileges, which could indicate exploitation of CVE-2025-40599 leading to remote code execution. ↗
- →Review logs on SMA 100 appliances for unauthorized access and any suspicious activity, and check for indicators of compromise from Google Threat Intelligence Group (GTIG)'s report on OVERSTEP rootkit malware deployments. ↗
- →Detect and alert on OVERSTEP rootkit malware deployment on SMA 100 appliances, which has been observed in attacks leveraging compromised credentials against these devices. ↗
- ·Exploitation of CVE-2025-40599 requires the attacker to already have administrative privileges on the SMA 100 web management interface; unauthenticated exploitation is not possible. ↗
- ·As of the reporting date, there is no confirmed evidence of active in-the-wild exploitation of CVE-2025-40599 specifically, though SMA 100 devices are being targeted via other means (compromised credentials + OVERSTEP rootkit). ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Bleepingcomputer
SonicWall urges admins to disable SSLVPN amid rising attacks
blogs_bleepingcomputer·2025-08-05
SonicWall urges admins to disable SSLVPN amid rising attacks
## SonicWall urges admins to disable SSLVPN amid rising attacks
## Sergiu Gatlan
SonicWall has warned customers to disable SSLVPN services due to ransomware gangs potentially exploiting an unknown security vulnerability in SonicWall Gen 7 firewalls to breach networks over the past few weeks.
The warning comes after Arctic Wolf Labs reported on Friday that it had observed multiple Akira ransomware attacks, likely using a SonicWall zero-day vulnerability, since July 15th.
"The initial access methods have not yet been confirmed in this campaign," the Arctic Wolf Labs researchers said. "While the existence of a zero-day vulnerability is highly plausible, credential access through brute force, dictionary attacks, and credential stuffing have not yet been definitively ruled out in all cases.
Bleepingcomputer
SonicWall firewall devices hit in surge of Akira ransomware attacks
blogs_bleepingcomputer·2025-08-01
SonicWall firewall devices hit in surge of Akira ransomware attacks
## SonicWall firewall devices hit in surge of Akira ransomware attacks
## Sergiu Gatlan
Update August 05, 03:12 EDT: Cybersecurity company Huntress confirmed Arctic Wolf's findings on Monday and published a report providing indicators of compromise (IOCs) collected while investigating this campaign. Further details are available in this Reddit thread .
SonicWall firewall devices have been increasingly targeted since late July in a surge of Akira ransomware attacks, potentially exploiting a previously unknown security vulnerability, according to cybersecurity company Arctic Wolf.
Akira emerged in March 2023 and quickly claimed many victims worldwide across various industries. Over the last two years, Akira has added over 300 organizations to its dark web leak portal and claimed responsi
Bleepingcomputer
SonicWall urges admins to patch critical RCE flaw in SMA 100 devices
blogs_bleepingcomputer·2025-07-24·CVSS 6.5
CVE-2025-40599 [MEDIUM] SonicWall urges admins to patch critical RCE flaw in SMA 100 devices
## SonicWall urges admins to patch critical RCE flaw in SMA 100 devices
## Sergiu Gatlan
SonicWall urges customers to patch SMA 100 series appliances against a critical authenticated arbitrary file upload vulnerability that can let attackers gain remote code execution.
The security flaw (tracked as CVE-2025-40599) is caused by an unrestricted file upload weakness in the devices' web management interfaces, which can allow remote threat actors with administrative privileges to upload arbitrary files to the system.
"SonicWall strongly recommends that users of the SMA 100 series products (SMA 210, 410, and 500v) upgrade to the specified fixed release version to remediate this vulnerability," the company said . "This vulnerability does not affect SonicWall SSL VPN SMA1000 series products or
2025-07-23
Published