SonicWall urges clients to patch SMA 100 sequence home equipment towards a crucial authenticated arbitrary file add vulnerability that may let attackers acquire distant code execution.
The safety flaw (tracked as CVE-2025-40599) is attributable to an unrestricted file add weak spot within the gadgets’ net administration interfaces, which might enable distant risk actors with administrative privileges to add arbitrary recordsdata to the system.
“SonicWall strongly recommends that customers of the SMA 100 sequence merchandise (SMA 210, 410, and 500v) improve to the required mounted launch model to remediate this vulnerability,” the corporate mentioned. “This vulnerability doesn’t have an effect on SonicWall SSL VPN SMA1000 sequence merchandise or SSL-VPN working on SonicWall firewalls.”
Whereas attackers would want admin privileges for CVE-2025-40599 profitable exploitation and SonicWall has but to seek out proof that this vulnerability is being actively exploited, it nonetheless warned clients to safe their gadgets, as SMA 100 home equipment are already being focused in assaults utilizing compromised credentials.
As Google Menace Intelligence Group (GTIG) researchers warned final week, an unknown risk actor, tracked as UNC6148, has been deploying a brand new rootkit malware known as OVERSTEP on absolutely patched SonicWall SMA 100 Sequence gadgets. GTIG believes UNC6148 engages in information theft and extortion assaults, and may additionally deploy Abyss ransomware (additionally tracked as VSOCIETY).
Whereas investigating these assaults, the investigators discovered proof suggesting that the risk actor had stolen the credentials for the focused equipment in January by exploiting a number of vulnerabilities (CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039, CVE-2025-32819).
SonicWall ‘strongly’ suggested clients utilizing SMA 100 digital or bodily home equipment to test them for indicators of compromise (IoCs) from GTIG’s report by checking for unauthorized entry and reviewing equipment logs and connection historical past for suspicious exercise. In the event that they discover any proof of compromise, directors are suggested to succeed in out to SonicWall Help instantly for help.
To safe their gadgets, customers ought to restrict distant administration entry on exterior interfaces, reset all passwords, and reinitialize OTP (One-Time Password) binding for each customers and directors. They need to additionally implement multi-factor authentication (MFA) and allow the Net Software Firewall (WAF).
Earlier this 12 months, SonicWall flagged different safety vulnerabilities exploited in assaults concentrating on its Safe Cellular Entry (SMA) home equipment.
In Could, the corporate prompted clients to patch three safety vulnerabilities (CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821) that might be chained to realize distant code execution as root, one in every of which was tagged as exploited in assaults.
One month earlier, SonicWall tagged one other SMA100 flaw (CVE-2021-20035) as exploited in distant code execution assaults since at the least January 2025.
CISOs know that getting board buy-in begins with a transparent, strategic view of how cloud safety drives enterprise worth.
This free, editable board report deck helps safety leaders current danger, affect, and priorities in clear enterprise phrases. Flip safety updates into significant conversations and quicker decision-making within the boardroom.
