A SonicWall SMA 100 vulnerability, tracked as CVE‑2025‑40602, is actively being exploited in the wild. SonicWall has issued patches, and CISA added the flaw to its KEV catalog, requiring federal agencies to patch by Dec. 24, 2025. Read this Cybersecurity Threat Advisory to discover actionable steps to protect your organization and clients from potential compromise.
What is the threat?
CVE‑2025‑40602 is a local privilege escalation flaw in the SonicWall SMA 100 series management console caused by insufficient authorization. Attackers have chained this flaw with CVE‑2025‑23006 (CVSS 9.8) to enable unauthenticated remote code execution with root privileges. The issue affects appliances running SMA versions 12.4.3‑03093 and earlier, and 12.5.0‑02002 and prior.
Why is it noteworthy?
Threat actors are exploiting this SonicWall SMA 100 vulnerability in the wild, targeting remote-access appliances to gain elevated privileges on the gateway. With this control, attackers can disrupt remote-access functionality and compromise user sessions.
What is the exposure or risk?
Once an attacker elevates permissions and gains control over remote-access operations, they can manipulate VPN configurations and user sessions, potentially enabling deeper access to internal resources through existing connectivity. Because this vulnerability is actively exploited in the wild, compromised devices may be used to disrupt authentication flows, steal credentials linked to the appliance, and pivot into connected environments after privilege escalation.
What are the recommendations?
Barracuda recommends the following actions to secure your environment:
- Apply available updates to SMA 100 appliances.
- Limit external access to appliance management interfaces and enforce strong authentication on remote‑access portals.
- Review VPN configurations to reduce avenues for privilege‑escalation abuse tied to CVE‑2025‑40602.
- Preserve appliance and network logs, audit for anomalous administrative actions or configuration changes, and review remote‑access session histories to identify potential exploitation patterns.
- Leverage solutions, such as Barracuda Managed XDR, to alert on indicators of privilege escalation on SMA devices, unexpected policy changes, or creation of new admin accounts; increase scrutiny of authentication events linked to the gateway given confirmed exploitation.
- Enumerate all SMA 100 deployments, validate their software versions against the fixed releases, and document internet‑facing management exposure and access policies to prioritize monitoring and follow‑up actions.
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.helpnetsecurity.com/2025/12/17/sonicwall-cve-2025-40602/
- https://thehackernews.com/2025/12/sonicwall-fixes-actively-exploited-cve.html
- https://arcticwolf.com/resources/blog/cve-2025-40602/
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.