Exploited flaw in end-of-support SonicWall SMA 100 receives hotfix

Threat summary

On December 17, SonicWall released fixes for CVE‑2025‑40602, a local privilege escalation vulnerability affecting Secure Mobile Access (SMA) 100 series appliances. The flaw was discovered by researchers from Google’s Threat Intelligence Group, who confirmed it was exploited as a zero-day prior to the patch release. SonicWall acknowledged active exploitation but did not attribute the activity to a specific threat group.

SonicWall issued hotfixes in firmware versions 12.4.3-03245 and 12.5.0-02283 to address CVE-2025-40602, which carries a CVSS score of 6.6.

SMA 100 series appliances are widely used to provide secure remote access for employees, contractors, and partners. They are common in small to mid-sized enterprises, MSP environments, and government agencies that rely on Secure Sockets Layer Virtual Private Network (SSL VPN) technology for connectivity.

The vulnerability resides in the Appliance Management Console, where insufficient authorization checks allow privilege escalation. On its own, the flaw enables local privilege escalation and requires existing access. However, it was exploited as part of a vulnerability chain with CVE-2025-23006, a critical pre-authentication deserialization vulnerability in SMA 1000 appliances disclosed in January 2025. CVE-2025-23006 carries a CVSS score of 9.8. By chaining these flaws, threat actors were able to achieve unauthenticated remote code execution and full system compromise.

Insights & mitigations

Although SMA 100 series appliances reached end of support on October 31, 2025, SonicWall issued this patch as a security hotfix due to confirmed exploitation. This exception to the end-of-support policy underscores the severity of the vulnerability and the ongoing risk to organizations that have not yet migrated away from SMA 100 series appliances.

MSPs with multi‑tenant deployments face elevated risk if appliances are exposed to the internet without proper segmentation, and should validate patch deployment across SMA 100 environments. Additional mitigations include disabling public access to the SSL VPN management interface (AMC) and Secure Shell (SSH). Restricting these services to internal or trusted administrative networks reduces the attack surface and limits opportunities for privilege escalation.

Field Effect MDR users were alerted via ARO earlier this year about devices vulnerable to CVE-2025-23006.

For threats such as CVE‑2025‑40602, Field Effect MDR continuously monitors endpoints, networks, and cloud services, detecting exploitation attempts targeting VPN appliances. Field Effect MDR also responds in real time to contain malicious activity before attackers can escalate privileges or execute commands targeting SMA devices. This includes isolating compromised endpoints, blocking malicious traffic, and cutting off attacker access—limiting the ability to use SMA appliances as entry points into broader networks.

Field Effect's security intelligence team combines business context with intelligence feeds to produce vulnerability analysis tailored to each client environment. This enables proactive early identification of affected instances that could be used in campaigns targeting VPN appliances, such as ransomware groups exploiting SonicWall SSL VPN vulnerabilities.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up