On 17 December 2025, SonicWall released fixes for an actively exploited medium-severity zero-day vulnerability in the SonicWall SMA1000 Appliance Management Console (AMC), tracked as CVE-2025-40602. The vulnerability allows local threat actors to escalate privileges due to insufficient authorisation in the SMA1000 AMC and does not affect SSL VPN functionality on SonicWall firewalls. SonicWall reported that threat actors have chained CVE-2025-40602 with CVE-2025-23006, a critical remote code execution vulnerability exploited earlier this year.
Arctic Wolf has not observed a public proof-of-concept exploit for CVE-2025-40602. However, threat actors are likely to continue targeting this vulnerability due to the level of access it provides and its ability to be chained with CVE-2025-23006. SonicWall products have been heavily targeted this year, including a recent September incident in which threat actors stole MySonicWall configuration backup files.
Recommendations for CVE-2025-40602
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.
| Product | Affected Version | Fixed Version |
| SMA1000 | 12.4.3-03093 (platform-hotfix) and earlier versions.
12.5.0-02002 (platform-hotfix) and earlier versions. |
12.4.3-03245 (platform-hotfix) and higher versions.
12.5.0-02283 (platform-hotfix) and higher versions. |
Note: CVE-2025-40602 does not affect SSL-VPN running on SonicWall firewalls.
Please follow your organisation’s patching and testing guidelines to minimise potential operational impact.
Restrict Access to Appliance Management Console (AMC)
SonicWall recommends restricting access to the Appliance Management Console (AMC) to SSH connections originating only from a VPN or specific administrator IP addresses, and disabling both the SSL VPN management interface (AMC) and SSH access from the public internet. These practices reduce your attack surface against CVE-2025-40602 and other similar vulnerabilities that may arise in the future.
References
