CVE-2025-40599

Name of the Vulnerable Software and Affected Versions SonicWall SMA 100 Series versions 210, 410, and 500v SonicWall SMA 100 Series (affected versions not specified)

Description A critical authenticated arbitrary file upload vulnerability exists in the SonicWall SMA 100 series web management interface. This flaw allows a remote attacker with administrative privileges to upload arbitrary files to the system, potentially leading to remote code execution (RCE). Multiple threat actors, including UNC6148 and those associated with the Akira, Fog, Babuk, Overstep, Abyss locker, and Vsociety malware, have been observed exploiting this vulnerability. The Overstep backdoor has been actively deployed on compromised devices. Numerous ransomware groups have targeted SonicWall appliances, and this vulnerability has been actively exploited in ongoing campaigns. Compromised privileged accounts have been used for lateral movement and data exfiltration.

Recommendations SonicWall SMA 100 Series versions 210, 410, and 500v: Update to a fixed version. SonicWall SMA 100 Series (affected versions not specified): Update to a fixed version.