SonicWall has issued a security advisory addressing a critical vulnerability in its SMA 100 series VPN appliances that could allow authenticated attackers to execute arbitrary code on affected devices. The flaw, tracked as CVE-2025-40599, affects firmware versions 10.2.1.15-81sv and earlier.
The vulnerability is located in the web management interface and permits an authenticated administrator to upload malicious files, which can lead to remote code execution (RCE). SonicWall has released an updated firmware version—10.2.2.1-90sv—to mitigate this risk and urges all customers to update immediately.
While SonicWall states there is no evidence of active exploitation, the company also confirmed that threat actors are actively targeting these systems, particularly those with previously stolen administrative credentials. The urgency is compounded by Google’s Threat Intelligence team, which uncovered a backdoor campaign linked to threat group UNC6148. This campaign used the OVERSTEP malware to maintain persistent access—even on patched systems—and steal credentials over extended periods.
In some cases, attackers were able to gain access to systems going as far back as October 2024 and remained undetected until June 2025. The campaign reportedly targeted organizations worldwide and exploited both known vulnerabilities and reused credentials.
SonicWall also acknowledged other vulnerabilities fixed in the same release, including a denial-of-service issue and a cross-site scripting flaw.
What You Should Do Now
-
Update all SMA 100 series devices to firmware version 10.2.2.1-90sv or higher.
-
Audit all administrative accounts and reset credentials, especially if they have been reused across systems.
-
Re-enroll multi-factor authentication tokens and restrict administrative access to internal networks only.
-
If compromise is suspected, consider a full redeployment of virtual appliances and restore only from trusted backups.
-
Review system logs and check for indicators of compromise related to OVERSTEP or unusual file uploads.
SonicWall’s SMA appliances have historically been targeted by attackers due to their role as a secure access gateway, making this an ideal point for initial compromise in more extensive campaigns. A previous string of flaws (CVE-2025-32819 through -32821) allowed similar exploitation and was documented earlier this year by Rapid7. This advisory adds yet another chapter to the continued targeting of perimeter VPN and SSL devices.
Sources:
-
Canadian Centre for Cyber Security – AV25-447: https://www.cyber.gc.ca/en/alerts-advisories/sonicwall-security-advisory-av25-447
-
BleepingComputer – SonicWall warns of critical RCE flaw in SMA 100 VPN appliances: https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-critical-rce-flaw-in-sma-100-VPN-appliances/