High

Security researchers have identified a critical privilege escalation vulnerability in SonicWall’s SMA1000 appliance, tracked as CVE-2025-40602, which attackers are actively exploiting to gain unauthorized administrative access. The flaw affects the appliance management console due to insufficient authorization controls, allowing authenticated attackers to escalate privileges and potentially compromise the entire device. SonicWall PSIRT disclosed the vulnerability on December 17, 2025, and it has been assigned a CVSS v3 score of medium, indicating medium-to-high severity.

The advisory highlights an especially concerning scenario where CVE-2025-40602 can be chained with another vulnerability, CVE-2025-23006, an unauthenticated remote code execution flaw with a CVSS score of high. By combining both vulnerabilities, attackers can achieve unauthenticated root-level access, effectively gaining full control over affected SMA1000 appliances. This amplifies the risk for organizations relying on SonicWall’s remote access solutions.

Affected versions include SMA1000 12.4.3-03093 and earlier, as well as 12.5.0-02002 and earlier. SonicWall has released patched versions—12.4.3-03245 and 12.5.0-02283—and strongly urges all users to upgrade immediately via mysonicwall.com. It is important to note that the vulnerability does not affect SSL-VPN on SonicWall firewalls, which somewhat limits the potential impact.

Until patches are deployed, SonicWall recommends several mitigations to reduce exposure. These include restricting SSH access to the management console via VPN or approved administrative IPs and disabling SSL-VPN management interface access from the public internet. Given the active exploitation and the ease of chaining this flaw with CVE-2025-23006, organizations should treat patching SMA1000 appliances as a top priority to prevent potential breaches and unauthorized control over their remote access infrastructure.