Sonicwall urges customers to patch SMA 100 series devices against an important certified arbitrary file uploaded vulnerability that may allow the attackers to get distant code execution.
Security defects (tracked as CVE-2025-40599) are due to the weakness of an unnecessary file upload in the web management interface of the equipment, which can allow remote danger actors with administrative privileges to upload arbitrary files in the system.
“Sonicwall strongly recommends that users of SMA 100 series products (SMA 210, 410, and 500V) upgrade in a fixed release version specified to remove this vulnerability,” Said“This vulnerability is running on Sonicwall SSL VPN SMA1000 series products or SSL-VPN on Sonicwall Firewall.”
While the attackers will need administrator privileges for the successful exploitation of CVE-2025-40599 and Sonicwall has not yet found evidence that this vulnerability is being actively exploited, yet it has warned customers to secure their equipment, as SMA 100 equipment is being already provided with compromise.
As the Google Threat Intelligence Group (GTIG) researchers warned last week, an unknown danger actor, which has been tracked as UnC6148, is deploying a new routine malware on the fully patched Sonicwall SMA 100 series devices. GTIG believes that UNC6148 is engaged in data theft and forced recovery attacks, and Abyss can also deploy Ransomware (also tracked as vsociety).
While investigating these attacks, investigators found evidence that the threatening actor had stolen credibility by exploiting several weaknesses to the target equipment in January (((Cve-2021-20038, Cve-2024-38475, Cve-2021-20035, Cve-2021-20039, Cve-2025-32819,
Sonicwall ‘firmly’ advised customers to use SMA 100 virtual or physical equipment, so that they can check for indicators of compromise (IOCs) by reviewing unauthorized access to suspicious activity and reviewing the equipment log and connection history. If they find any evidence of the agreement, the administrators are advised to immediately reach the sonicwall support for help.
To secure their devices, users must limit remote management access on the external interface, reset all passwords, and resume OTP (One-Time Password) binding for both users and administrators. They should also apply multi-factor authentication (MFA) and enable the web application firewall (WAF).
Earlier this year, Sonicwall flagged off other security weaknesses exploited in the target attacks targeting their safe mobile access (SMA) equipment.
In May, the company motivated customers to patch three security weaknesses (CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821), which could be chained to obtain remote code execution in the form of root, one of which was tagged as exploration.
A month ago, Sonicwall tagged another SMA100 defect (CVE-2021-20035) as exploitation in distance code execution attacks from at least January 2025.
CISOS knows how to purchase a board begins with a clear, strategic approach how the cloud safety runs the business price.
This helps to introduce the risk, impact and priorities to the free, editable board report deck deck security leaders in clear business terms. Convert security updates into meaningful conversations and take fast decision in boardroom.
