Full Report
SonicWall has rolled out fixes to address a security flaw in Secure Mobile Access (SMA) 100 series appliances that it said has been actively exploited in the wild. The vulnerability, tracked as CVE-2025-40602 (CVSS score: 6.6), concerns a case of local privilege escalation that arises as a result of insufficient authorization in the appliance management console (AMC). It affects the following
Analysis Summary
# Vulnerability: Local Privilege Escalation in SonicWall SMA 100 AMC
## CVE Details
- CVE ID: CVE-2025-40602
- CVSS Score: 6.6 (Medium)
- CWE: Insufficient Authorization (Inferred from description)
## Affected Systems
- Products: SonicWall Secure Mobile Access (SMA) 100 series appliances
- Versions:
- 12.4.3-03093 (platform-hotfix) and earlier versions
- 12.5.0-02002 (platform-hotfix) and earlier versions
- Configurations: Affects the Appliance Management Console (AMC).
## Vulnerability Description
The vulnerability is a Local Privilege Escalation (LPE) flaw stemming from insufficient authorization checks within the Appliance Management Console (AMC) of the SMA 100 series appliances. This flaw can be chained with CVE-2025-23006 (unauthenticated RCE, patched January 2025) to achieve unauthenticated remote code execution with root privileges.
## Exploitation
- Status: Exploited in the wild
- Complexity: Not explicitly stated, but exploitation alongside RCE suggests successful exploitation pathway exists.
- Attack Vector: Local (initially), but combined with CVE-2025-23006, the exploit chain enables Remote exploitation.
## Impact
- Confidentiality: High (When chained with RCE)
- Integrity: High (When chained with RCE)
- Availability: High (When chained with RCE)
*Note: The direct impact of CVE-2025-40602 alone is LPE. The critical impact is realized when leveraged against a system also vulnerable to or already exploited by RCE (CVE-2025-23006).*
## Remediation
### Patches
- For versions derived from 12.4.3: **12.4.3-03245 (platform-hotfix)**
- For versions derived from 12.5.0: **12.5.0-02283 (platform-hotfix)**
### Workarounds
- Apply the patches immediately due to active exploitation. (No specific workaround detailed in the summary context, but immediate patching is stressed.)
## Detection
- Indicators of Compromise (IOCs) are not detailed in the summary, but monitoring for activity related to the chained vulnerability (CVE-2025-23006) and signs of unauthorized privilege escalation or the deployment of backdoors (such as OVERSTEP, linked in related threat context) on SMA appliances should be prioritized.
## References
- Vendor Advisory: psirt dot global dot sonicwall dot com/vuln-detail/SNWLID-2025-0019
- Related CVE (RCE): CVE-2025-23006
- Threat Context: Reference to UNC6148 group tracking targeting EOL devices.