Another bad week for SonicWall as SMA 1000 0-day exploited

Another bad week for SonicWall as SMA 1000 0-day exploited

Briefly

"SonicWall's official notice, published this week, says users should update to the latest hotfix versions immediately and restrict access to the Appliance Management Console to trusted networks. The vendor's PSIRT team says the issue affects only SMA 1000 appliances and does not impact other SonicWall firewall products or SSL VPN functions, but the fact that attackers have already begun exploiting the flaw underscores how exposed remote-access infrastructure remains."

"SonicWall has been a frequent target for cybercrime crews in 2025. In September, the vendor disclosed a breach of its MySonicWall cloud backup service, where attackers accessed firewall configuration backups stored for customers. Initial estimates that fewer than 5 percent of users were affected were later revised after an incident response investigation with Mandiant concluded that all organizations using the service had their backup files exposed."

"The bug, tracked as CVE-2025-40602, resides in the appliance management console of SonicWall's Secure Mobile Access (SMA) 1000 series and stems from missing or insufficient authorization checks that let authenticated attackers elevate their privileges. SonicWall's advisory says the vulnerability has been chained with another SMA 1000 flaw patched earlier this year (CVE-2025-23006) to enable unauthenticated remote code execution with root rights - a particularly nasty combo when weaponized in the wild."