Zero-Day Warning: Hackers Chain SonicWall SMA1000 Flaws for Unauthenticated Root RCE

SonicWall has issued an urgent security advisory for its high-end remote access appliances, patching a vulnerability that, while seemingly moderate on its own, serves as the final piece in a devastating attack chain capable of granting hackers total control over corporate networks.

The vulnerability, tracked as CVE-2025-40602, affects the SMA1000 series of secure access gateways—devices critical for managing remote workforce connectivity. While officially rated with a CVSS score of 6.6, the real danger lies in how attackers are using it.

On the surface, the flaw is described as a “local privilege escalation vulnerability due to insufficient authorization in the SonicWall SMA1000 appliance management console (AMC)”. Typically, this would mean an attacker needs to already be inside the system to cause damage.

However, SonicWall’s advisory reveals a darker context. This specific bug is being weaponized alongside a previously disclosed critical flaw to catastrophic effect.

“IMPORTANT: This vulnerability was reported to be leveraged in combination with CVE-2025-23006 (CVSS score 9.8) to achieve unauthenticated remote code execution with root privileges,” the advisory warns.

By chaining these two exploits, attackers can bypass authentication entirely (using the first flaw) and then elevate their permissions to root (using the new flaw), effectively seizing the “keys to the castle” without ever needing a valid username or password.

The vulnerability is specific to the SMA1000 series running firmware versions 12.4.3-03093 and earlier, or 12.5.0-02002 and earlier.

SonicWall is urging users to patch immediately. The company has released platform-hotfixes (builds 12.4.3-03245 and 12.5.0-02283) to close the security gap.

For organizations that cannot take their systems offline for an immediate update, SonicWall suggests a strict workaround: lock down the management interface. Administrators should “Disable SSL VPN management interface (AMC) and SSH access from the public internet” and restrict access to VPN tunnels or specific internal IP addresses only.

Related Posts:

• CVE-2025-23006 (CVSS 9.8): SonicWall Warns of Active Exploits, Issues Urgent Update for SMA1000 Users
• Multiple Vulnerabilities Found in SonicWall SSL-VPN SMA1000 and Connect Tunnel Windows Client
• SonicWall Issues Patch for SSRF Vulnerability in SMA1000 Appliances
• Patch Now: SonicWall SMA1000 Flaw (CVE-2025-40595) Enables Stealth SSRF Attacks