🔴 CVE-2025-40602

CVE-2025-40602 is a local privilege escalation vulnerability in SonicWall SMA1000 appliances that is being actively exploited in the wild when chained with CVE-2025-23006. CISA has added this to the KEV catalog due to confirmed exploitation.

← Back to Overview
HIGH_RISK
Risk Level
T1190
MITRE Technique
6.6
CVSS Score
NETWORK
Attack Vector
VERY_HIGH
Deployment Risk

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-12-18

Added to CISA KEV: 2025-12-17 0 DAY BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence

Key Sources:

  • SonicWall SMA1000 Zero-Day Exploited (CVE-2025-40602 & CVE-2025-23006)

    Exploitation Chain: Attackers combine CVE-2025-40602 with CVE-2025-23006, a critical pre-authentication deserialization vulnerability (CVSS: 9.8), to achieve unauthenticated remote code execution at root level. Exploit: Attack Vector: Exploitation targets SMA1000 appliances with the AMC interface exposed to the internet.

  • Exploited SonicWall zero-day patched (CVE-2025-40602)

    SonicWall has patched a local privilege escalation vulnerability (CVE-2025-40602) affecting its Secure Mobile Access (SMA) 1000 appliances and is urging customers to apply the provided hotfix, as the flaw has been exploited by attackers. ... If the SMA 1000 appliance is patched for CVE-2025-23006, a threat actor would have to find another way to access a local system user account to exploit CVE-2025-40602, a SonicWall spokesperson told Help Net Security. ... But to mitigate CVE-2025-40602 ...

  • SonicWall Fixes Actively Exploited CVE-2025-40602 in SMA 100 Appliances

    The vulnerability, tracked as CVE-2025-40602 (CVSS score: 6.6), concerns a case of local privilege escalation that arises as a result of insufficient authorization in the appliance management console (AMC).It's worth noting that CVE-2025-23006 was patched by the company in late January 2025 in version 12.4.3-02854 (platform-hotfix). Clément Lecigne and Zander Work of Google Threat Intelligence Group (GTIG) have been credited with discovering and reporting CVE-2025-40602. There are currently no details on the scale of the attacks and who is behind the efforts.

  • Exploitation of CVE-2025-40602 chained with CVE-2025-23006

    Key takeaways: CVE-2025-40602 is a local privilege escalation vulnerability in the appliance management console (AMC) of the SonicWall SMA 1000 appliance. CVE-2025-40602 has been exploited in a chained attack with CVE-2025-23006, a deserialization of untrusted data vulnerability patched in January.

  • Sonicwall warns of new SMA1000 zero-day exploited in attacks

    SonicWall warned customers today to patch a vulnerability in the SonicWall SMA1000 Appliance Management Console (AMC) that was chained in zero-day attacks to escalate privileges. According to SonicWall, this medium-severity local privilege escalation security flaw (CVE-2025-40602) was reported by Clément Lecigne and Zander Work of the Google Threat Intelligence Group, and doesn't affect SSL-VPN running on SonicWall firewalls.

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed