A significant security flaw has been identified in SonicWall’s Gen7 firewall products, potentially allowing remote, unauthenticated attackers to disrupt services through denial-of-service (DoS) attacks. This vulnerability, designated as CVE-2025-40600, affects the SSL VPN interface of various SonicWall firewall models and has been assigned a CVSS v3 score of 5.9, indicating medium severity with a high impact on availability.
Understanding the SSL VPN DoS Vulnerability
The vulnerability, officially cataloged as SNWLID-2025-0013, arises from a Use of Externally-Controlled Format String issue, classified under CWE-134. This type of flaw occurs when an application utilizes externally controlled format strings in printf-style functions, potentially allowing attackers to manipulate memory addresses, leading to application crashes or service disruptions.
Specifically targeting the SonicOS SSL VPN interface, this vulnerability is accessible to remote attackers without requiring authentication. The CVSS vector CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H indicates that, despite a high attack complexity, the exploit can be executed over the network without user interaction, primarily affecting system availability rather than confidentiality or integrity.
Security researchers have identified that attackers can exploit format string weaknesses in the SSL VPN component, potentially leading to memory corruption and subsequent service crashes. The attack vector requires no special privileges and can be executed remotely, posing a significant concern for organizations relying on SonicWall firewalls for network security.
Risk Factors and Affected Products
The vulnerability impacts a wide range of Gen7 hardware firewalls, including models such as TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670, NSa 2700, NSa 3700, NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700, and NSsp 15700. Additionally, Gen7 virtual firewalls (NSv), including NSV270, NSv470, and NSv870 variants across platforms like ESX, KVM, HYPER-V, AWS, and Azure, are also affected.
Systems running SonicOS versions 7.2.0-7015 and older are vulnerable, while the 7.0.1 branch remains unaffected. Notably, SonicWall’s Gen6 and Gen8 firewalls, as well as SMA 1000 and SMA 100 series SSL VPN products, are not impacted by this vulnerability.
Mitigation Strategies
To address this security issue, SonicWall has released fixed software version 7.3.0-7012 and higher. Organizations are strongly advised to upgrade to this patched version to maintain both security and SSL VPN functionality.
For organizations unable to immediately update, SonicWall recommends disabling the SSL-VPN interface as a temporary workaround. It’s important to note that this vulnerability does not impact firewalls without SSL-VPN enabled.
Broader Implications and Historical Context
This vulnerability is part of a series of security challenges faced by SonicWall devices in recent years. For instance, in February 2025, attackers targeted an authentication bypass vulnerability (CVE-2024-53704) affecting SonicWall firewalls shortly after the release of proof-of-concept (PoC) exploit code. This flaw allowed remote attackers to hijack active SSL VPN sessions without authentication, granting unauthorized access to networks. SonicWall urged customers to upgrade their firewalls’ SonicOS firmware to prevent exploitation. Despite these efforts, cybersecurity company Arctic Wolf reported detecting exploitation attempts targeting this vulnerability shortly after the PoC was made public, confirming SonicWall’s concerns about the vulnerability’s exploitation potential. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/sonicwall-firewall-bug-leveraged-in-attacks-after-poc-exploit-release/?utm_source=openai))
In another instance, a financially motivated cyber threat group, dubbed UNC6148 by Google’s Threat Intelligence Group, exploited end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances. Despite these systems being patched, UNC6148 utilized stolen credentials and one-time password (OTP) seeds obtained through prior breaches to regain access. The group is suspected of leveraging a zero-day remote code execution vulnerability to deploy a persistent backdoor malware named OVERSTEP. This campaign underscores the critical need for timely system and software updates, especially for end-of-life products. ([techradar.com](https://www.techradar.com/pro/security/hacker-using-backdoor-to-exploit-sonicwall-secure-mobile-access-to-steal-credentials?utm_source=openai))
Furthermore, in September 2024, ransomware affiliates exploited a critical security vulnerability (CVE-2024-40766) in SonicWall SonicOS firewall devices to breach victims’ networks. This improper access control flaw affected Gen 5, Gen 6, and Gen 7 firewalls. SonicWall patched it on August 22 and warned that it only impacted the firewalls’ management access interface. However, the company later revealed that the security vulnerability also impacted the firewall’s SSLVPN feature and was being exploited in attacks. The same day, Arctic Wolf security researchers linked the attacks with Akira ransomware affiliates, who targeted SonicWall devices to gain initial access to their targets’ networks. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/critical-sonicwall-sslvpn-bug-exploited-in-ransomware-attacks/?utm_source=openai))
These incidents highlight the importance of proactive vulnerability management and the need for organizations to stay vigilant against emerging threats.
Conclusion
The discovery of CVE-2025-40600 in SonicWall’s Gen7 firewall products serves as a critical reminder of the ever-evolving cybersecurity landscape. Organizations must prioritize timely software updates and consider disabling vulnerable interfaces when immediate patching isn’t feasible. By staying informed and proactive, businesses can better protect their networks from potential disruptions and unauthorized access.
