- July 29, 2025
Critical Vulnerabilities in SonicWall SMA (CVE-2025-40596, CVE-2025-40597, CVE-2025-40598)
On July 23, 2025, SonicWall released three newly disclosed vulnerabilities in SonicWall’s Secure Mobile Access (SMA) 100 series devices: CVE-2025-40596, CVE-2025-40597, and CVE-2025-40598. The vulnerabilities, if successfully exploited, range from allowing unauthenticated attackers to perform Denial of Service (DoS) attack to executing arbitrary JavaScript code. The vulnerabilities were found and reported to SonicWall by a third-party cyber security firm, and SonicWall quickly released patches through normal update channels. Additionally, SonicWall has not confirmed active exploitation of vulnerabilities at the time of this writing. However, the reporting security firm has published proof-of-concept details and technical walkthroughs, increasing likelihood of active exploitation.
Executive Summary
On July 23, 2025, SonicWall released three newly disclosed vulnerabilities in SonicWall’s Secure Mobile Access (SMA) 100 series devices: CVE-2025-40596, CVE-2025-40597, and CVE-2025-40598. The vulnerabilities, if successfully exploited, range from allowing unauthenticated attackers to perform Denial of Service (DoS) attack to executing arbitrary JavaScript code. The vulnerabilities were found and reported to SonicWall by a third-party cyber security firm, and SonicWall quickly released patches through normal update channels. Additionally, SonicWall has not confirmed active exploitation of vulnerabilities at the time of this writing. However, the reporting security firm has published proof-of-concept details and technical walkthroughs, increasing likelihood of active exploitation.
Exploitation does not require authentication and can be triggered over the internet, making unpatched systems highly attractive targets. Beazley Security recommends that organizations using affected SMA 100 series devices (SMA 210, 410, and 500v) prioritize patching immediately.
Affected Systems or Products
This vulnerability affects SonicWall SMA 100 Series appliances.
Products | Affected | Unaffected |
|---|---|---|
SMA 100 Series (SMA 210, 410, 500v) | 10.2.1.15-81sv and earlier versions | 10.2.2.1-90sv and higher versions |
Mitigations / Workarounds
Due to the internet facing nature of these devices, Beazley Security recommends patching be performed immediately.
If patching cannot be immediately performed, administrators are advised to restrict external access or isolate vulnerable SMA100 appliances to allow only trusted network ranges and services.
Implement real time monitoring for unusual system crashes, traffic patterns, and DoS attempts.
Enforce WAF functionality on the SMA100.
Patches
SonicWall has released hotfix version 10.2.2.1-90 for SMA100 products. The hotfix can be found by logging in to the MySonicWall web application:
Log in to https://www.mysonicwall.com/
Find the “Resources & Support | My Downloads” section and select the impacted model from the list provided
Specific details about the hotfix can be found on SonicWall’s security advisory.
Indicators of Compromise
Based on information available at the time of this publication, no official indicators of compromise have been released by SonicWall. As exploitation targets weakness in memory handling and memory corruption bugs, traditional IoCs may not be immediately available in logs.
Repeated crashing or service restart events involving SMA system processes
Unexpected session drops and device reboots
Padded or unusually long GET request parameters sent to the API endpoint _api_/v1/
Suspicious WAF events (if licensed and enabled) on the SMA100
Suspicious cross site scripting attempts to radius endpoint:
hxxps://<target>/cgi-bin/radiusChallengeLogin
Technical Details
CVE-2025-40596 and CVE-2025-40597
These two vulnerabilities are traditional memory corruption bugs in the appliance API system. In both bugs, if a large amount of data is sent to a specific URL, the software does not properly handle abnormally large data, resulting in system memory becoming corrupted. This normally results in a crash and Denial of Service (DoS), but carefully crafted attack traffic can sometimes grant threat actors remote code execution (RCE) on a victim appliance.
Luckily in this case, the stack overflow vulnerability (CVE-2025-40596) is reportedly mitigated by a system level protection mechanism known as a stack canary. Additionally, the heap overflow (CVE-2025-40597) is somewhat mitigated by the fact that under normal operation, the surrounding memory around the location of the bug is highly volatile and not predictable enough for consistent exploitation. In both cases, organizations can hunt for indicators of attack by reviewing suspicious looking requests to the API. More specifically, for CVE-2025-40596, attack attempts will look like the following:
GET /__api__/v1/<attack payload>
And for CVE-2025-40597, attack attempts will look like the following:
GET /__api__/ HTTP/1.1
Host: <attack payload>
<other HTTP headers>
CVE-2025-40598
This vulnerability is a reflective cross site scripting bug (XSS) and is typically used by a threat actor to steal authentication data (like session cookies) from users to gain unauthorized access. This is somewhat mitigated by the fact that successful attack would typically involve a threat actor crafting a malicious link or form, then tricking an internal user to click or submit it. This amount of user interactivity tends to limit how widespread a campaign can get based on this type of exploit.
Attack attempts against this vulnerable system will look similar to the following:
hxxps://<target>/cgi-bin/radiusChallengeLogin?portalName=portal1&status=needchallenge&state="<attack payload>"
How Beazley Security is responding
Beazley Security is monitoring client perimeter devices through our Karma product to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.