SonicWall has warned customers of a zero-day flaw in its SMA 1000 remote-access appliance that’s being actively exploited, potentially allowing attackers to escalate privileges and take over boxes.
The bug, tracked as CVE-2025-40602, resides in the appliance management console of SonicWall’s Secure Mobile Access (SMA) 1000 series and stems from missing or insufficient authorization checks that let authenticated attackers elevate their privileges.
SonicWall’s advisory says the vulnerability has been chained with another SMA 1000 flaw patched earlier this year (CVE-2025-23006) to enable unauthenticated remote code execution with root rights – a particularly nasty combo when weaponized in the wild.
SonicWall’s official notice, published this week, says users should update to the latest hotfix versions immediately and restrict access to the Appliance Management Console to trusted networks. The vendor’s PSIRT team says the issue affects only SMA 1000 appliances and does not impact other SonicWall firewall products or SSL VPN functions, but the fact that attackers have already begun exploiting the flaw underscores how exposed remote-access infrastructure remains.
Researchers tracking exposed devices report hundreds of SMA 1000 units visible on the open internet, meaning a large pool of potentially vulnerable targets if patches aren’t applied quickly.
SonicWall has been a frequent target for cybercrime crews in 2025. In September, the vendor disclosed a breach of its MySonicWall cloud backup service, where attackers accessed firewall configuration backups stored for customers. Initial estimates that fewer than 5 percent of users were affected were later revised after an incident response investigation with Mandiant concluded that all organizations using the service had their backup files exposed.
Those exposed configuration files, which included network rules, access policies, and encrypted credentials, could give adversaries a detailed roadmap into corporate infrastructure if they can brute-force or decrypt the contents. SonicWall urged customers to delete any existing cloud backups, change their MySonicWall credentials, rotate shared secrets and passwords, and recreate new backup files locally rather than in the cloud.
SonicWall later attributed the backup compromise to state-sponsored threat actors, though it declined to name a specific country or group. The vendor has promised to “continue working with third parties to harden network and cloud infrastructure,” a process that, judging by this week’s actively exploited zero-day, appears to be very much still in progress. ®
Deixe o seu comentário