**SonicWall Warns of New SMA1000 Zero-Day Exploit Used in Attacks**

In a critical security alert, SonicWall has warned its customers to patch a vulnerability in the SonicWall SMA1000 Appliance Management Console (AMC) that was recently exploited by hackers. The medium-severity local privilege escalation security flaw, identified as CVE-2025-40602, was reported by Clément Lecigne and Zander Work of the Google Threat Intelligence Group.

According to SonicWall, this vulnerability does not affect SSL-VPN running on SonicWall firewalls. However, remote unauthenticated attackers were able to chain this vulnerability with a critical-severity SMA1000 pre-authentication deserialization flaw (CVE-2025-23006) in zero-day attacks to execute arbitrary OS commands under specific conditions.

"This vulnerability was reported to be leveraged in combination with CVE-2025-23006 (CVSS score 9.8) to achieve unauthenticated remote code execution with root privileges," SonicWall stated in its advisory. "CVE-2025-23006 was remediated in build version 12.4.3-02854 (platform-hotfix) and higher versions, released on January 22, 2025."

The SMA1000 is a secure remote access appliance used by large organizations to provide VPN access to corporate networks. Given their critical roles across enterprises, government, and critical infrastructure organizations, unpatched flaws pose a particularly high risk of exploitation.

This alert comes on the heels of recent security breaches affecting SonicWall customers. Last month, the company linked state-backed hackers to a September security breach that exposed customers' firewall configuration backup files. In addition, researchers warned of over 100 SonicWall SSLVPN accounts compromised using stolen credentials in September.

Shadowserver currently tracks over 950 SMA1000 appliances exposed online, although some may have already been patched against this attack chain. SonicWall strongly advises users to upgrade to the latest hotfix release version to address the vulnerability.

**What You Need to Know**

* SonicWall has warned customers of a new SMA1000 zero-day exploit used in attacks. * The medium-severity local privilege escalation security flaw, identified as CVE-2025-40602, was reported by Clément Lecigne and Zander Work of the Google Threat Intelligence Group. * Remote unauthenticated attackers chained this vulnerability with a critical-severity SMA1000 pre-authentication deserialization flaw (CVE-2025-23006) in zero-day attacks to execute arbitrary OS commands under specific conditions. * The SMA1000 is a secure remote access appliance used by large organizations to provide VPN access to corporate networks. * Shadowserver currently tracks over 950 SMA1000 appliances exposed online.

**What You Can Do**

* Upgrade to the latest hotfix release version to address the vulnerability. * Ensure that all SonicWall devices are patched against known vulnerabilities. * Monitor network activity for suspicious behavior, such as unauthenticated remote code execution attempts.