cbcvebase.
CVE-2025-40599
published 2025-07-23

CVE-2025-40599: An authenticated arbitrary file upload vulnerability exists in the SMA 100 series web management interface. A remote attacker with administrative privileges…

PriorityP266critical9.1CVSS 3.1
AVNACLPRHUINSCCHIHAH
EPSS
11.63%
95.5th percentile
An authenticated arbitrary file upload vulnerability exists in the SMA 100 series web management interface. A remote attacker with administrative privileges can exploit this flaw to upload arbitrary files to the system, potentially leading to remote code execution.

Affected

4 ranges
VendorProductVersion rangeFixed in
sonicwallsma_100_series
sonicwallsma_210_firmware< 10.2.2.1-90sv10.2.2.1-90sv
sonicwallsma_410_firmware< 10.2.2.1-90sv10.2.2.1-90sv
sonicwallsma_500v_firmware< 10.2.2.1-90sv10.2.2.1-90sv

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor SMA 100 series web management interface for unauthorized file upload activity, particularly by accounts with administrative privileges, which could indicate exploitation of CVE-2025-40599 leading to remote code execution.
  • Review logs on SMA 100 appliances for unauthorized access and any suspicious activity, and check for indicators of compromise from Google Threat Intelligence Group (GTIG)'s report on OVERSTEP rootkit malware deployments.
  • Detect and alert on OVERSTEP rootkit malware deployment on SMA 100 appliances, which has been observed in attacks leveraging compromised credentials against these devices.
  • ·Exploitation of CVE-2025-40599 requires the attacker to already have administrative privileges on the SMA 100 web management interface; unauthenticated exploitation is not possible.
  • ·As of the reporting date, there is no confirmed evidence of active in-the-wild exploitation of CVE-2025-40599 specifically, though SMA 100 devices are being targeted via other means (compromised credentials + OVERSTEP rootkit).
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.