Article Details
Scrape Timestamp (UTC): 2025-12-17 18:20:07.818
Source: https://thehackernews.com/2025/12/sonicwall-fixes-actively-exploited-cve.html
Original Article Text
Click to Toggle View
SonicWall Fixes Actively Exploited CVE-2025-40602 in SMA 100 Appliances. SonicWall has rolled out fixes to address a security flaw in Secure Mobile Access (SMA) 100 series appliances that it said has been actively exploited in the wild. The vulnerability, tracked as CVE-2025-40602 (CVSS score: 6.6), concerns a case of local privilege escalation that arises as a result of insufficient authorization in the appliance management console (AMC). It affects the following versions - "This vulnerability was reported to be leveraged in combination with CVE-2025-23006 (CVSS score 9.8) to achieve unauthenticated remote code execution with root privileges," SonicWall said. It's worth noting that CVE-2025-23006 was patched by the company in late January 2025 in version 12.4.3-02854 (platform-hotfix). Clément Lecigne and Zander Work of Google Threat Intelligence Group (GTIG) have been credited with discovering and reporting CVE-2025-40602. There are currently no details on the scale of the attacks and who is behind the efforts. Back in July, Google said it's tracking a cluster named UNC6148 that's targeting fully-patched end-of-life SonicWall SMA 100 series devices as part of a campaign designed to drop a backdoor called OVERSTEP. It's currently not clear if these activities are related. In light of active exploitation, it's essential that SonicWall SMA 100 series users apply the fixes as soon as possible.
Daily Brief Summary
SonicWall released patches for CVE-2025-40602 in SMA 100 appliances, a vulnerability actively exploited in the wild, allowing local privilege escalation through the appliance management console.
The vulnerability, with a CVSS score of 6.6, is linked to insufficient authorization, potentially enabling attackers to pair it with CVE-2025-23006 for remote code execution.
CVE-2025-23006, a more severe flaw with a CVSS score of 9.8, was addressed in January 2025, highlighting the ongoing need for timely patch management.
Discovery and reporting of CVE-2025-40602 were credited to Clément Lecigne and Zander Work from Google's Threat Intelligence Group, emphasizing collaboration in threat detection.
Google is monitoring a threat actor cluster, UNC6148, targeting end-of-life SonicWall devices with a backdoor named OVERSTEP, though its relation to the current vulnerability is unclear.
SonicWall urges immediate application of the patches to mitigate risks, underscoring the importance of proactive cybersecurity measures for affected users.
The incident serves as a reminder of the critical need for organizations to maintain up-to-date security protocols and patch management strategies.