CVE-2025-40604
published 2025-11-20CVE-2025-40604: Download of Code Without Integrity Check Vulnerability in the SonicWall Email Security appliance loads root filesystem images without verifying signatures…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.17%
6.5th percentile
Download of Code Without Integrity Check Vulnerability in the SonicWall Email Security appliance loads root filesystem images without verifying signatures, allowing attackers with VMDK or datastore access to modify system files and gain persistent arbitrary code execution.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sonicwall | email_security | — | — |
| sonicwall | email_security | — | — |
| sonicwall | email_security_appliance_5000_firmware | <= 10.0.33.8195 | — |
| sonicwall | email_security_appliance_5050_firmware | <= 10.0.33.8195 | — |
| sonicwall | email_security_appliance_7000_firmware | <= 10.0.33.8195 | — |
| sonicwall | email_security_appliance_7050_firmware | <= 10.0.33.8195 | — |
| sonicwall | email_security_appliance_9000_firmware | <= 10.0.33.8195 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2025-40604 targets SonicWall Email Security appliances (ES Appliance 5000, 5050, 7000, 7050, 9000, VMWare, and Hyper-V); monitor for unauthorized modifications to root filesystem images (VMDK or datastore files) on these appliances, which may indicate exploitation. ↗
- →Exploitation requires VMDK or datastore-level access; audit hypervisor/datastore access logs (VMware ESX, Hyper-V) for unexpected access to Email Security appliance disk images as a precursor indicator. ↗
- →Affected platforms include ES Appliance 5000, 5050, 7000, 7050, 9000, VMWare, and Hyper-V variants; prioritize monitoring and patching of virtual deployments where datastore access is more broadly available. ↗
- ·Exploitation requires pre-existing VMDK or datastore access — this is not a remote unauthenticated vector; attacker must already have hypervisor/storage-level access to the Email Security appliance environment. ↗
- ·No public PoC or active in-the-wild exploitation has been reported for CVE-2025-40604 at time of disclosure; however, SonicWall strongly urges immediate upgrade of affected Email Security products. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
SonicWall
CVE-2025-40604: Download of Code Without Integrity Check Vulnerability in the SonicWall Email Security appliance loads root filesystem images without verifying signat
vendor_sonicwall·2025-11-20·CVSS 9.8
CVE-2025-40604 [CRITICAL] CWE-494 CVE-2025-40604: Download of Code Without Integrity Check Vulnerability in the SonicWall Email Security appliance loads root filesystem images without verifying signat
CVE-2025-40604: Download of Code Without Integrity Check Vulnerability in the SonicWall Email Security appliance loads root filesystem images without verifying signatures, allowing attackers with VMDK or datastore access to modify system files and gain persistent arbitrary code execution.
GHSA
GHSA-pcxg-qcmm-jh7x: Download of Code Without Integrity Check Vulnerability in the SonicWall Email Security appliance loads root filesystem images without verifying signat
ghsa_unreviewed·2025-11-20
CVE-2025-40604 [MEDIUM] CWE-494 GHSA-pcxg-qcmm-jh7x: Download of Code Without Integrity Check Vulnerability in the SonicWall Email Security appliance loads root filesystem images without verifying signat
Download of Code Without Integrity Check Vulnerability in the SonicWall Email Security appliance loads root filesystem images without verifying signatures, allowing attackers with VMDK or datastore access to modify system files and gain persistent arbitrary code execution.
No detection rules found.
No public exploits indexed.
2025-11-20
Published