SonicWall urges clients to patch SMA 100 Collection home equipment in opposition to any critically authenticated file add vulnerabilities that permit attackers to acquire distant code execution.
Safety flaws (tracked as CVE-2025-40599) are attributable to weaknesses of limitless file uploads within the machine’s internet administration interface.
“SonicWall strongly recommends that customers of SMA 100 sequence merchandise (SMA 210, 410, and 500V) improve to the required fastened launch model to repair this vulnerability,” the corporate stated. “This vulnerability doesn’t have an effect on the SonicWall SSL VPN SMA1000 Collection Product or SSL-VPN working on the SonicWall Firewall.”
The attacker wants management rights for the profitable exploitation of CVE-2025-40599, and whereas Sonic Wall has but to search out proof that the vulnerability is being actively exploited, the SMA 100 equipment is already being focused in assaults utilizing outfitted {qualifications}, it’s warning clients to safe their units.
As Google Menace Intelligence Group (GTIG) researchers warned final week, an unknown menace actor tracked as UNC6148 is deploying a brand new RootKit malware known as OverStep on absolutely patched SonicWall SMA 100 sequence units. GTIG believes that UNC6148 is engaged in knowledge theft and worry assaults and will deploy Abyss ransomware (additionally tracked as a Vsociety).
Whereas investigating these assaults, investigators found proof suggesting that menace actors had stolen the {qualifications} of their goal home equipment by leveraging a number of vulnerabilities (CVE-2021-20038, CVE-2021-20035, CVE-2021-20039, CVE-2025-32819).
SonicWall “strongly suggested clients utilizing SMA 100 digital or bodily home equipment, reviewed compromise (IOC) metrics from GTIG experiences, checked for unauthorized entry, and checked the equipment’s logs and connection historical past for suspicious exercise. In case you discover proof of compromise, directors are inspired to instantly attain out to Sonicwall Help.
To guard the machine, customers should limit distant administration entry on the exterior interface, reset all passwords, and reactivate the OTP (one-time password) binding to each customers and directors. Moreover, multi-factor authentication (MFA) have to be carried out and the Net Utility Firewall (WAF) have to be enabled.
Earlier this 12 months, SonicWall flagged different safety vulnerabilities exploited in assaults concentrating on safe cellular entry (SMA) home equipment.
In Could, the corporate urged its clients to patch three safety vulnerabilities: CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821.
A month in the past, Sonicwall tagged one other SMA100 flaw (CVE-2021-20035) because it was exploited in a distant code execution assault since at the very least January 2025.
