Latest SonicWall vulnerabilities #
SonicWall has disclosed four vulnerabilities, across two advisories (SNWLID-2025-0014 and SNWLID-2025-0012), in certain versions of SMA 100 series products (SMA 210, 410 and 500v).
- An authenticated arbitrary file upload vulnerability exists in the SMA 100 series web management interface. A remote adversary with administrative privileges can exploit this flaw to upload arbitrary files to the system, potentially leading to remote code execution (RCE). This vulnerability has been designated CVE-2025-40599 and has been rated critical with a CVSS score of 9.1.
- A stack-based buffer overflow vulnerability in the SMA 100 series web interface may allow a remote, unauthenticated adversary to achieve remote code execution (RCE) or cause a denial-of-service (DoS) condition. This vulnerability has been designated CVE-2025-40596 and has been rated high with a CVSS score of 7.3.
- A heap-based buffer overflow vulnerability in the SMA 100 series web interface may allow a remote, unauthenticated adversary to achieve remote code execution (RCE) or cause a denial-of-service (DoS) condition. This vulnerability has been designated CVE-2025-40597 and has been rated high with a CVSS score of 7.5.
- A reflected cross-site scripting (XSS) vulnerability in the SMA 100 series web interface may allow a remote, unauthenticated adversary to execute arbitrary client-side JavaScript code in a victim's web browser. This vulnerability has been designated CVE-2025-40598 and has been rated medium with a CVSS score of 6.1.
The following versions are affected
- SMA 100 Series (SMA 210, 410, 500v) version 10.2.1.15-81sv and prior versions
What is the impact? #
Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable device, potentially leading to complete system compromise.
Are updates or workarounds available? #
Users are encouraged to update to the latest version as quickly as possible:
- SMA 100 Series (SMA 210, 410, 500v) upgrade to version 10.2.2.1-90sv or later
There is no evidence these vulnerabilities are being exploited in the wild. However, due to latest threat intelligence from Google Threat Intelligence Group (GTIG), which highlights potential risks, SonicWall is strongly advising all organizations using SMA 100 series products to take additional measures detailed in the comments section of the security advisory SNWLID-2025-0014.
How to find potentially vulnerable systems with runZero #
From the Asset Inventory, use the following query to locate potentially vulnerable assets:
hw:="SonicWall SMA100"May 2025: Multiple vulnerabilities #
SonicWall has issued an advisory for its SMA100 Series appliances.
- CVE-2025-32819 and has been rated high with a CVSS score of 8.8.
- CVE-2025-32820 and has been rated high with a CVSS score of 8.3.
- CVE-2025-32821 and has been rated medium with a CVSS score of 6.7.
What is the impact? #
When chained together, the vulnerabilities could allow a remote authenticated attacker to bypass system checks leading to potential remote code execution. It does not affect SonicWall Firewall or SMA 1000 series appliances.
Are updates or workarounds available? #
The vendor advises users to update to platform-hotfix (10.2.1.15-81sv or later) as soon as possible. The vendor also advises its customers to configure multifactor authentication (MFA) and enable WAF on the appliance.
How to find potentially vulnerable systems with runZero #
From the Service Inventory, use the following query to locate systems running potentially vulnerable firmware:
hw:"SonicWall SMA100" OR (_asset.protocol:http AND http.head.server:="SonicWALL SSL-VPN Web Server")January 2025: SMA1000 Series #
SonicWall has issued an advisory for its SMA1000 Series appliances. The vendor reported that this vulnerability may be actively exploited in the wild.
This vulnerability has been designated CVE-2025-23006 and has been assigned a CVSS score of 9.8 (critical).
What is the impact? #
The vulnerability would allow for a remote unauthenticated attacker to execute arbitrary operating system commands. The vulnerability was discovered within the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC). It does not affect SonicWall Firewall or SMA 100 series appliances.
Are updates or workarounds available? #
The vendor advises users to update to platform-hotfix (12.4.3-02854 or later) as soon as possible. The vendor also advises its customers to follow the steps outlined in the Best Practices section of the SMA1000 Administration Guide. Access to the console should also be restricted to trusted networks.
How to find potentially vulnerable systems with runZero #
From the Service Inventory, use the following query to locate systems running potentially vulnerable firmware:
hw:"SonicWall SMA1000" OR _asset.protocol:http (last.html.title:="Appliance Management Console Login" OR last.html.title:="Central Management Console Login" OR http.head.server:="SMA/%" OR (favicon.ico.image.mmh3:"16866410" AND (last.html.title:"WorkPlace" OR html.title:"WorkPlace")))September 2024: SonicOS and SSLVPN #
SonicWall disclosed a vulnerability that affects SonicOS management access and SSLVPN software on SonicWall Gen 5, Gen 6, in addition to Gen 7 devices running SonicOS version 7.0.1-5035 or earlier.
CVE-2024-40766 is rated critical with CVSS score of 9.3, and potentially allows for unauthorized resource access by an attacker.
What is the impact? #
Successful exploitation of this vulnerability potentially results in unauthorized resource access and in some cases could lead to a DoS after causing vulnerable devices to crash.
Are updates or workarounds available? #
SonicWall recommends restricting management access to trusted sources or disabling WAN management from the public Internet. Additionally, SonicWall has released updated firmware which is available for download from mysonicwall.com.
How to find potentially vulnerable systems with runZero #
From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:
hw:"SonicWall"
