CVE-2025-40602

Dec. 19, 2025, 1:57 p.m.

6.6
Medium

Description

A local privilege escalation vulnerability due to insufficient authorization in the SonicWall SMA1000 appliance management console (AMC).

Product(s) Impacted

Vendor Product Versions
Sonicwall
  • Sma6200 Firmware
  • Sma6200
  • Sma6210 Firmware
  • Sma6210
  • Sma7200 Firmware
  • Sma7200
  • Sma7210 Firmware
  • Sma7210
  • Sma8200v
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • -
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-250
Execution with Unnecessary Privileges
The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
o sonicwall sma6200_firmware / / / / / / / /
o sonicwall sma6200_firmware / / / / / / / /
h sonicwall sma6200 - / / / / / / /
o sonicwall sma6210_firmware / / / / / / / /
o sonicwall sma6210_firmware / / / / / / / /
h sonicwall sma6210 - / / / / / / /
o sonicwall sma7200_firmware / / / / / / / /
o sonicwall sma7200_firmware / / / / / / / /
h sonicwall sma7200 - / / / / / / /
o sonicwall sma7210_firmware / / / / / / / /
o sonicwall sma7210_firmware / / / / / / / /
h sonicwall sma7210 - / / / / / / /
a sonicwall sma8200v / / / / / / / /
a sonicwall sma8200v / / / / / / / /

References

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0019
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-40602

Tags

PSIRT@sonicwall.com
2025-12-18
CVE-2025-40602

CVSS Score

6.6 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: HIGH
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

    View Vector String

Timeline

Published: Dec. 18, 2025, 11:15 a.m.
Last Modified: Dec. 19, 2025, 1:57 p.m.

Status : Analyzed

CVE has had analysis completed and all data associations made.

More info

Source

PSIRT@sonicwall.com

Relations

Here is the list of observables linked to the vulnerability CVE-2025-40602 using threat intelligence.

  • SMA1000 appliance
  • SMA1000 appliance

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.