CVE-2025-40602
published 2025-12-18CVE-2025-40602: A local privilege escalation vulnerability due to insufficient authorization in the SonicWall SMA1000 appliance management console (AMC).
PriorityP184medium6.6CVSS 3.1
AVNACHPRHUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2025-12-24
Exploited in the wild
EPSS
1.91%
77.2th percentile
A local privilege escalation vulnerability due to insufficient authorization in the SonicWall SMA1000 appliance management console (AMC).
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sonicwall | sma | — | — |
| sonicwall | sma1000 | — | — |
| sonicwall | sma1000 | — | — |
| sonicwall | sma6200_firmware | < 12.4.3-03245 | 12.4.3-03245 |
| sonicwall | sma6200_firmware | >= 12.5.0 < 12.5.0-02283 | 12.5.0-02283 |
| sonicwall | sma6210_firmware | < 12.4.3-03245 | 12.4.3-03245 |
| sonicwall | sma6210_firmware | >= 12.5.0 < 12.5.0-02283 | 12.5.0-02283 |
| sonicwall | sma7200_firmware | < 12.4.3-03245 | 12.4.3-03245 |
| sonicwall | sma7200_firmware | >= 12.5.0 < 12.5.0-02283 | 12.5.0-02283 |
| sonicwall | sma7210_firmware | < 12.4.3-03245 | 12.4.3-03245 |
| sonicwall | sma7210_firmware | >= 12.5.0 < 12.5.0-02283 | 12.5.0-02283 |
| sonicwall | sma8200v | < 12.4.3-03245 | 12.4.3-03245 |
| sonicwall | sma8200v | >= 12.5.0 < 12.5.0-02283 | 12.5.0-02283 |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2025-40602 was chained with CVE-2025-23006 (CVSS 9.8, pre-authentication deserialization) to achieve unauthenticated remote code execution with root privileges on SonicWall SMA1000 appliances — detect exploit chains targeting both vulnerabilities together ↗
- →Over 950 SMA1000 appliances are exposed online — prioritize detection and monitoring on internet-facing SMA1000 AMC interfaces for privilege escalation activity ↗
- →CISA directs checking for signs of compromise on all internet-accessible SonicWall SMA1000 instances after applying mitigations — perform post-patch forensic review ↗
- ·The vulnerability affects the SonicWall SMA1000 Appliance Management Console (AMC) only — it does NOT affect SSL-VPN running on SonicWall firewalls ↗
- ·CVE-2025-23006 (the chained pre-auth deserialization flaw) was already patched in build 12.4.3-02854 (platform-hotfix) released January 22, 2025 — environments not yet on that build remain fully exposed to the combined RCE chain ↗
CVSS provenance
nvdv3.16.6MEDIUMCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa6.6MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p9f8-2p87-2pq5: A local privilege escalation vulnerability due to insufficient authorization in the SonicWall SMA1000 appliance management console (AMC)
ghsa_unreviewed·2025-12-18
CVE-2025-40602 [MEDIUM] CWE-250 GHSA-p9f8-2p87-2pq5: A local privilege escalation vulnerability due to insufficient authorization in the SonicWall SMA1000 appliance management console (AMC)
A local privilege escalation vulnerability due to insufficient authorization in the SonicWall SMA1000 appliance management console (AMC).
VulnCheck
SonicWall SMA1000 Missing Authorization Vulnerability
vulncheck·2025·CVSS 6.6
CVE-2025-40602 [MEDIUM] CWE-862 SonicWall SMA1000 Missing Authorization Vulnerability
SonicWall SMA1000 Missing Authorization Vulnerability
SonicWall SMA1000 contains a missing authorization vulnerability that could allow for privilege escalation appliance management console (AMC) of affected devices.
Affected: SonicWall SMA1000 appliance
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable
Known Ransomware Campaign Use: Known
Exploitation References: https://arcticwolf.com/resources/blog/cve-2025-40602/; https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0019; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.recordedfuture.com/blog/december-2025-cve-landscape; https://www.loginsoft.com/
VulnCheck
SonicWall SMA1000 Appliances Deserialization Vulnerability
vulncheck·2025·CVSS 9.8
CVE-2025-23006 [CRITICAL] CWE-502 SonicWall SMA1000 Appliances Deserialization Vulnerability
SonicWall SMA1000 Appliances Deserialization Vulnerability
SonicWall SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC) contain a deserialization of untrusted data vulnerability, which can enable a remote, unauthenticated attacker to execute arbitrary OS commands.
Affected: SonicWall SMA1000 Appliances
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0002; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.coveware.com/blog/2025/4/29/the-organizational-structure-of-ransomware-threat-actor-groups-is-evolving-before-our
SonicWall
CVE-2025-40602: A local privilege escalation vulnerability due to insufficient authorization in the SonicWall SMA1000 appliance management console (AMC).
vendor_sonicwall·2025-12-18·CVSS 6.6
CVE-2025-40602 [MEDIUM] CWE-250 CVE-2025-40602: A local privilege escalation vulnerability due to insufficient authorization in the SonicWall SMA1000 appliance management console (AMC).
CVE-2025-40602: A local privilege escalation vulnerability due to insufficient authorization in the SonicWall SMA1000 appliance management console (AMC).
CISA
SonicWall SMA1000 Missing Authorization Vulnerability
cisa·2025-12-17·CVSS 6.6
CVE-2025-40602 [MEDIUM] CWE-862 SonicWall SMA1000 Missing Authorization Vulnerability
Vulnerability: SonicWall SMA1000 Missing Authorization Vulnerability
Affected: SonicWall SMA1000 appliance
SonicWall SMA1000 contains a missing authorization vulnerability that could allow for privilege escalation appliance management console (AMC) of affected devices.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable
Notes: Check for signs of potential compromise on all internet accessible SonicWall SMA1000 instances after applying mitigations. For more information please see: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0019 ; https://nvd.nist.gov/vuln/detail/CVE-2025-40602
Remediation Due Date: 2025-12-24
No detection rules found.
No public exploits indexed.
Mandiant
Look What You Made Us Patch: 2025 Zero-Days in Review
blogs_mandiant·2026-03-05
Look What You Made Us Patch: 2025 Zero-Days in Review
Threat Intelligence
# Look What You Made Us Patch: 2025 Zero-Days in Review
March 5, 2026
##### Google Threat Intelligence Group
##### Google Threat Intelligence
Visibility and context on the threats that matter most.
Contact Us & Get a Demo
Written by: Casey Charrier, James Sadowski, Zander Work, Clement Lecigne, Benoît Sevens, Fred Plan
### Executive Summary
Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities exploited in-the-wild in 2025. Although that volume of zero-days is lower than the record high observed in 2023 (100), it is higher than 2024’s count (78) and remained within the 60–100 range established over the previous four years, indicating a trend toward stabilization at these levels.
In 2025, we continued to observe the structural shift, first
Mandiant
Look What You Made Us Patch: 2025 Zero-Days in Review
blogs_mandiant·2026-03-05
Look What You Made Us Patch: 2025 Zero-Days in Review
## Look What You Made Us Patch: 2025 Zero-Days in Review
## Google Threat Intelligence Group
## Google Threat Intelligence
Visibility and context on the threats that matter most.
Written by: Casey Charrier, James Sadowski, Zander Work, Clement Lecigne, Benoît Sevens, Fred Plan
## Executive Summary
Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities exploited in-the-wild in 2025. Although that volume of zero-days is lower than the record high observed in 2023 (100), it is higher than 2024’s count (78) and remained within the 60–100 range established over the previous four years, indicating a trend toward stabilization at these levels.
In 2025, we continued to observe the structural shift, first identified in 2024, toward increased enterprise exploitation. Both
Wiz
Crying Out Cloud Monthly Newsletter - January 2026 | Wiz
blogs_wiz·2026-01-22·CVSS 8.7
CVE-2025-55182 [HIGH] Crying Out Cloud Monthly Newsletter - January 2026 | Wiz
Welcome back! In this edition, we bring you the latest in cloud security: noteworthy incidents, exclusive data, and crucial vulnerabilities. Let’s jump in.
## 🔍 Highlights
React2Shell: Critical RCE Vulnerability in React and Next.js
React2Shell (CVE-2025-55182) is a critical, unauthenticated remote code execution vulnerability rooted in insecure deserialization within the React Server Components (RSC) “Flight” protocol, impacting React 19 and RSC-enabled frameworks, most notably Next.js. The flaw affects default configurations, meaning standard production deployments can be exploited with a single crafted HTTP request and no developer misconfiguration, with exploitation demonstrating near-100% reliability.
Since early December 2025, exploitation has been observed in the wild by multipl
Tenable
Exploitation of CVE-2025-40602 chained with CVE-2025-23006
blogs_tenable·2025-12-17·CVSS 9.8
[CRITICAL] Exploitation of CVE-2025-40602 chained with CVE-2025-23006
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Sonicwall warns of new SMA1000 zero-day exploited in attacks
blogs_bleepingcomputer·2025-12-17·CVSS 9.8
CVE-2025-40602 [CRITICAL] Sonicwall warns of new SMA1000 zero-day exploited in attacks
## Sonicwall warns of new SMA1000 zero-day exploited in attacks
## Sergiu Gatlan
SonicWall warned customers today to patch a vulnerability in the SonicWall SMA1000 Appliance Management Console (AMC) that was chained in zero-day attacks to escalate privileges.
According to SonicWall, this medium-severity local privilege escalation security flaw (CVE-2025-40602) was reported by Clément Lecigne and Zander Work of the Google Threat Intelligence Group, and doesn't affect SSL-VPN running on SonicWall firewalls.
"SonicWall PSIRT strongly advises users of the SMA1000 product to upgrade to the latest hotfix release version to address the vulnerability," the company said in a Wednesday advisory .
Remote unauthenticated attackers chained this vulnerability with a critical-severity SMA1000 pre-au
Recorded Future
December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity
blogs_recorded_future·CVSS 7.8
CVE-2025-55182 [HIGH] December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity
# December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity
December 2025 witnessed a dramatic 120% increase in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 22 vulnerabilities requiring immediate remediation, up from 10 in November. The month was dominated by widespread exploitation of Meta's React Server Components flaw.
What security teams need to know:
- React2Shell pandemonium: CVE-2025-55182 triggered a global exploitation wave with multiple threat actors deploying diverse malware families
- China-nexus exploitation intensifies: Earth Lamia, Jackpot Panda, and UAT-9686 leveraged critical flaws for espionage operations
- Public exploits proliferate: Eleven of 22 vulnerabilities have proof-of-conce
Wiz
CVE-2025-40602 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-40602 [CRITICAL] CVE-2025-40602 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-40602 :
SonicWall SMA 8200v Appliance vulnerability analysis and mitigation
A local privilege escalation vulnerability due to insufficient authorization in the SonicWall SMA1000 appliance management console (AMC).
Source : NVD
## 6.6
Score
Published December 18, 2025
Severity MEDIUM
CNA Score 6.6
High-profile Vulnerability Yes
Affected Technologies
SonicWall SMA 8200v Appliance
Has Public Exploit Yes
Has CISA KEV Exploit Yes
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 54
Exploitation Probability (EPSS) 0.3
Affected packages and libraries
cpe:2.3:a:sonicwall:sma8200v
Sources
Linux Severity MEDIUM Has Fix Added at: Dec 18, 2025
Windows Severity MEDIUM Has Fix Added at: Dec 18, 2025
## Get a CVE risk assessme
2025-12-18
Published
2025-12-17
Added to CISA KEV
Exploited in the wild