🔴 CVE-2025-40602

CVE-2025-40602 is a local privilege escalation vulnerability in SonicWall SMA1000 appliances that is being actively exploited in the wild when chained with CVE-2025-23006. CISA has added this to the KEV catalog due to confirmed exploitation.

← Back to Overview
HIGH_RISK
Risk Level
6.6
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
VERY_HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-12-18

Added to CISA KEV: 2025-12-17 0 DAY BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2025-12-19)

CVE-2025-40602 is a local privilege escalation vulnerability affecting SonicWall SMA 1000 appliances. Here's what is known about its exploitation:

  • Affected Applications/Services: The vulnerability affects the Appliance Management Console (AMC) of SonicWall SMA 1000 appliances [4][5]. It does not affect SSL-VPN running on SonicWall firewalls [5].
  • Active Exploitation: CVE-2025-40602 has been actively exploited in the wild [2][3].
  • Attack Vectors/Exploitation Methods:
* The vulnerability is a local privilege escalation due to insufficient authorization in the AMC [3][8]. * Exploitation often involves chaining CVE-2025-40602 with CVE-2025-23006, a deserialization of untrusted data vulnerability, to achieve unauthenticated remote code execution at the root level [1][4]. * If the SMA 1000 appliance is patched for CVE-2025-23006, a threat actor would need to find another way to access a local system user account to exploit CVE-2025-40602 [2].
  • Targeted Attacks: While it is known that the vulnerability is actively exploited, there are currently no specific details available regarding the scale or the actors behind these attacks [3].
  • CISA KEV Status: CISA has added CVE-2025-40602 to its Known Exploited Vulnerabilities (KEV) catalog [7][10]. This means that federal agencies are required to remediate it, and private sector organizations are strongly encouraged to do so as well [6][9].
  • Internet Exploitability: Exploitation targets SMA1000 appliances with the AMC interface exposed to the internet [1]. To exploit CVE-2025-40602, attackers have combined it with CVE-2025-23006 to achieve remote code execution [1].
SonicWall has released a hotfix and urges customers to apply it to mitigate the vulnerability [2].

Sources

  1. SonicWall SMA1000 Zero-Day Exploited (CVE-2025-40602 & CVE-2025-23006)

    Exploitation Chain: Attackers combine CVE-2025-40602 with CVE-2025-23006, a critical pre-authentication deserialization vulnerability (CVSS: 9.8), to achieve unauthenticated remote code execution at root level. Exploit: Attack Vector: Exploitation targets SMA1000 appliances with the AMC interface ex…

  2. Exploited SonicWall zero-day patched (CVE-2025-40602)

    SonicWall has patched a local privilege escalation vulnerability (CVE-2025-40602) affecting its Secure Mobile Access (SMA) 1000 appliances and is urging customers to apply the provided hotfix, as the flaw has been exploited by attackers. ... If the SMA 1000 appliance is patched for CVE-2025-23006, a…

  3. SonicWall Fixes Actively Exploited CVE-2025-40602 in SMA 100 Appliances

    The vulnerability, tracked as CVE-2025-40602 (CVSS score: 6.6), concerns a case of local privilege escalation that arises as a result of insufficient authorization in the appliance management console (AMC).It's worth noting that CVE-2025-23006 was patched by the company in late January 2025 in versi…

  4. Exploitation of CVE-2025-40602 chained with CVE-2025-23006

    Key takeaways: CVE-2025-40602 is a local privilege escalation vulnerability in the appliance management console (AMC) of the SonicWall SMA 1000 appliance. CVE-2025-40602 has been exploited in a chained attack with CVE-2025-23006, a deserialization of untrusted data vulnerability patched in January.

  5. Sonicwall warns of new SMA1000 zero-day exploited in attacks

    SonicWall warned customers today to patch a vulnerability in the SonicWall SMA1000 Appliance Management Console (AMC) that was chained in zero-day attacks to escalate privileges. According to SonicWall, this medium-severity local privilege escalation security flaw (CVE-2025-40602) was reported by Cl…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed