Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security

Sonicwall fixes critical flaw in SMA appliances, urges customers to check for compromise (CVE-2025-40599)

Sonicwall is asking customers running specific Secure Mobile Access (SMA) 100 Series devices to patch a newly uncovered vulnerability (CVE-2025-40599) as soon as possible.

Sonicwall CVE-2025-40599

“While there is currently no evidence that this vulnerability is being actively exploited in the wild,” Sonicwall is advising organizations using SMA 210, 410 or 500v appliances to check whether they have been compromised in a recently disclosed ongoing campaign delivering the OVERSTEP backdoor to end-of-life SMA devices.

The attack campaign, unearthed and documented by Google’s incident responders and threat intelligence analysts, has been going on for at least six months.

Google’s security experts have been unable to discover how the attackers are gaining administrative access to the targeted devices – whether by exploiting a known or unknown vulnerability, or by sourcing credentials from criminal forums – but posited that they have been using a zero-day vulnerability to deploy the specially designed backdoor and a reverse shell.

Whether that zero-day was or could have been CVE-2025-40599, remains unknown for the moment.

About CVE-2025-40599

CVE-2025-40599 is a flaw in the SMA 100 series web management interface that may allow a remote attacker with administrative privileges to upload arbitrary files to the system, potentially leading to remote code execution.

The vulnerability affects SMA 210, 410 and 500v appliances running firmware versions 10.2.1.15-81sv and earlier.

There are no available workarounds, so users must upgrade to v10.2.2.1-90sv or higher to plug this security hole.

But before they do this, they should review appliance logs and connection history for anomalies and indicators of compromise shared by Google’s Threat Intelligence Group, and check for unauthorized access.

Once the devices have been upgraded, they should also:

  • Disable remote management access on the external-facing interface (X1) to reduce the attack surface
  • Reset all passwords and reinitialize OTP (One-Time Password) binding for users and administrators on the appliance
  • Enforce multi-factor authentication (MFA) for all users
  • Enable the web application firewall on the device

Detailed steps have been outlined in the security advisory.

CVE-2025-40599 doesn’t affect SonicWall SSL VPN SMA1000 series products or SSL-VPN running on SonicWall firewalls, the company stated.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!

More about

Featured news

Resources

Don't miss