Summary: SonicWall has released a security update to fix a privilege escalation vulnerability in the SonicWall SMA1000 Appliance Management Console (AMC) that was tricked in zero-day attacks to escalate privileges.

The issue was discovered by Google Threat Intelligence Group (GTIG) and while attack details are limited, the active exploitation makes immediate patching essential. The flaw, tracked as CVE-2025-40602 (CVSS score of 6.6), is a medium-severity local privilege escalation issue. SonicWall warned that the security defect has been exploited as a zero-day.

OEM	SonicWall
Severity	Medium
CVSS Score	6.6
CVEs	CVE-2025-40602
POC Available	No
Actively Exploited	Yes
Exploited in Wild	Yes
Advisory Version	1.0

Overview 

This vulnerability is actively being exploited in the wild and has been used along with another critical vulnerability (CVE-2025-23006) to gain root-level access without authentication.  

While SonicWall firewall products are not impacted, Organizations are strongly advised to apply the latest hotfix immediately to prevent system takeover and security breaches. 

Vulnerability Name	CVE ID	Product Affected	Severity	Fixed Version
Local Privilege Escalation vulnerability	CVE-2025-40602	SonicWall SMA1000	Medium	v12.4.3-03245,  v12.5.0-02283

Technical Summary 

The vulnerability occurs due to weak permission checks in the SonicWall SMA1000 Appliance Management Console (AMC).

A user who already has limited access to the system can misuse this vulnerability to gain higher privileges, getting full root-level control. An attackers could modify system settings, access sensitive data or maintain persistence on the device if the issue is not fixed. 

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-40602	Appliance Management Console (AMC)	Weak access control checks in the AMC allow a logged-in user with limited permissions to escalate privileges and gain higher-level, potentially root access.	Root-level access,  Full system compromise

Remediation:  

Upgrade immediately to SMA1000 product with below mentioning fixed versions- 

• v12.4.3-03245 (platform-hotfix) and later 

• 12.5.0-02283 (platform-hotfix) and later 

If immediate patching is not possible, apply the following temporary mitigations- 

1. Restrict access to the Appliance Management Console (AMC) to trusted administrative IP addresses only 

2. Disable AMC and SSH access from the public internet 

3. Review SMA access logs for any signs of unauthorized administrative activity  

Conclusion: 
Sonicwall SMA 1000 vulnerability represents a significant security risk for organizations using SonicWall SMA1000 appliances, especially given its active exploitation in real-world attacks.

When connected with the other vulnerability, it can result in complete system compromise. Immediate patching, strict access control and continuous monitoring are critical to mitigating this threat and maintaining secure remote access infrastructure. 

SMA1000 is a secure remote access appliance used by large organizations to provide VPN access to corporate networks and any unpatched flaws pose a high risk of exploitation.

References:  

• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0019 

• https://thehackernews.com/2025/12/sonicwall-fixes-actively-exploited-cve.html