The SonicWall Secure Mobile Access (SMA) 100 series appliances have a local privilege escalation vulnerability identified as CVE-2025-40602, with a CVSS score of 6.6. This vulnerability stems from insufficient authorization checks within the appliance management console (AMC), allowing an attacker with local access to escalate privileges beyond their intended scope. The flaw affects versions 12.4.3-03093 and earlier, and 12.5.0-02002 and earlier, with fixes available in later platform-hotfix versions. Notably, this vulnerability has been exploited in the wild, often in conjunction with CVE-2025-23006, a critical unauthenticated remote code execution vulnerability patched earlier in 2025. The combination enables attackers to remotely execute code with root privileges, effectively compromising the appliance and potentially the broader network it protects. The vulnerability was discovered and reported by Google Threat Intelligence Group researchers. While the scale and attribution of attacks remain unclear, the known threat actor cluster UNC6148 has targeted fully patched but end-of-life SMA 100 devices, deploying a backdoor named OVERSTEP. This indicates ongoing interest and activity against SonicWall SMA appliances. The exploitation of these vulnerabilities threatens the confidentiality, integrity, and availability of networks relying on these appliances for secure remote access, making timely patching imperative.

For European organizations, the exploitation of CVE-2025-40602 combined with CVE-2025-23006 poses a significant risk to network security infrastructure. SonicWall SMA 100 appliances are widely used to provide secure remote access, especially in sectors such as finance, healthcare, government, and critical infrastructure. Successful exploitation can lead to complete compromise of the appliance, allowing attackers to execute arbitrary code with root privileges, bypass authentication, and potentially move laterally within networks. This can result in data breaches, disruption of remote access services, and unauthorized access to sensitive systems. The impact is heightened in Europe due to stringent data protection regulations like GDPR, where breaches can lead to severe legal and financial penalties. Additionally, the presence of sophisticated threat actors targeting these devices increases the likelihood of targeted attacks against European entities. Organizations relying on end-of-life or unpatched SMA 100 appliances face elevated risks, including persistent backdoors and espionage. The threat also undermines trust in remote access solutions critical for hybrid and remote work environments prevalent across Europe.

European organizations should immediately verify the version of their SonicWall SMA 100 appliances and apply the latest platform-hotfix patches (12.4.3-03245 or later and 12.5.0-02283 or later) to remediate CVE-2025-40602. For devices no longer supported, consider decommissioning or replacing them with supported models to eliminate exposure. Implement strict network segmentation to limit local access to management consoles and restrict administrative access to trusted personnel only. Enable multi-factor authentication (MFA) for all management interfaces to reduce the risk of unauthorized access. Conduct thorough audits and monitoring of SMA appliance logs for unusual activities indicative of exploitation attempts or lateral movement. Employ endpoint detection and response (EDR) solutions to detect potential backdoors like OVERSTEP. Regularly review and update incident response plans to include scenarios involving appliance compromise. Engage with SonicWall support and threat intelligence feeds to stay informed about emerging threats and patches. Finally, educate IT staff on the criticality of timely patch management and the risks associated with end-of-life hardware.