cbcvebase.
CVE-2025-40602
published 2025-12-18

CVE-2025-40602: A local privilege escalation vulnerability due to insufficient authorization in the SonicWall SMA1000 appliance management console (AMC).

PriorityP184medium6.6CVSS 3.1
AVNACHPRHUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2025-12-24
Exploited in the wild
EPSS
1.91%
77.2th percentile
A local privilege escalation vulnerability due to insufficient authorization in the SonicWall SMA1000 appliance management console (AMC).

Affected

13 ranges
VendorProductVersion rangeFixed in
sonicwallsma
sonicwallsma1000
sonicwallsma1000
sonicwallsma6200_firmware< 12.4.3-0324512.4.3-03245
sonicwallsma6200_firmware>= 12.5.0 < 12.5.0-0228312.5.0-02283
sonicwallsma6210_firmware< 12.4.3-0324512.4.3-03245
sonicwallsma6210_firmware>= 12.5.0 < 12.5.0-0228312.5.0-02283
sonicwallsma7200_firmware< 12.4.3-0324512.4.3-03245
sonicwallsma7200_firmware>= 12.5.0 < 12.5.0-0228312.5.0-02283
sonicwallsma7210_firmware< 12.4.3-0324512.4.3-03245
sonicwallsma7210_firmware>= 12.5.0 < 12.5.0-0228312.5.0-02283
sonicwallsma8200v< 12.4.3-0324512.4.3-03245
sonicwallsma8200v>= 12.5.0 < 12.5.0-0228312.5.0-02283

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2025-40602 was chained with CVE-2025-23006 (CVSS 9.8, pre-authentication deserialization) to achieve unauthenticated remote code execution with root privileges on SonicWall SMA1000 appliances — detect exploit chains targeting both vulnerabilities together
  • Over 950 SMA1000 appliances are exposed online — prioritize detection and monitoring on internet-facing SMA1000 AMC interfaces for privilege escalation activity
  • CISA directs checking for signs of compromise on all internet-accessible SonicWall SMA1000 instances after applying mitigations — perform post-patch forensic review
  • ·The vulnerability affects the SonicWall SMA1000 Appliance Management Console (AMC) only — it does NOT affect SSL-VPN running on SonicWall firewalls
  • ·CVE-2025-23006 (the chained pre-auth deserialization flaw) was already patched in build 12.4.3-02854 (platform-hotfix) released January 22, 2025 — environments not yet on that build remain fully exposed to the combined RCE chain

CVSS provenance

nvdv3.16.6MEDIUMCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa6.6MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.