Recent security assessments have uncovered critical vulnerabilities in SonicWall’s Secure Mobile Access (SMA) 100 series SSL-VPN appliances. These flaws could enable remote attackers to execute arbitrary JavaScript code and potentially achieve code execution without authentication. The affected models include SMA 210, 410, and 500v running firmware version 10.2.1.15-81sv and earlier, posing significant security risks to organizations relying on these devices.
Identified Vulnerabilities
The security advisory highlights three distinct vulnerabilities with varying severity levels:
1. CVE-2025-40596: Pre-Authentication Stack-Based Buffer Overflow Vulnerability
– Description: This vulnerability exists in the SMA100 series web interface and is classified under CWE-121.
– Impact: Remote, unauthenticated attackers can exploit this flaw to cause Denial of Service (DoS) conditions or potentially execute arbitrary code on affected systems.
– CVSS Score: 7.3 (High)
2. CVE-2025-40597: Pre-Authentication Heap-Based Buffer Overflow Vulnerability
– Description: Similar to the previous flaw, this vulnerability is found in the SMA100 series web interface and falls under CWE-122.
– Impact: It allows remote, unauthenticated attackers to cause DoS conditions or potentially execute arbitrary code.
– CVSS Score: 7.3 (High)
3. CVE-2025-40598: Reflected Cross-Site Scripting (XSS) Vulnerability
– Description: This flaw is categorized under CWE-79 and involves reflected XSS in the SMA100 series web interface.
– Impact: Remote, unauthenticated attackers can execute arbitrary JavaScript code, though this requires user interaction.
– CVSS Score: 6.3 (Medium)
Technical Details
Both buffer overflow vulnerabilities (CVE-2025-40596 and CVE-2025-40597) share the same CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L. This indicates that the attacks are network-based, have low complexity, require no authentication, and can lead to low confidentiality, integrity, and availability impacts.
The reflected XSS vulnerability (CVE-2025-40598) has a CVSS vector of CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L, signifying that while the attack is network-based and of low complexity, it requires user interaction to be successful.
Mitigation Measures
SonicWall strongly recommends that users of the SMA 100 series products (SMA 210, 410, and 500v) upgrade to firmware version 10.2.2.1-90sv or higher to address these vulnerabilities. The company emphasizes that SonicWall SSL VPN SMA1000 series products and SSL-VPN functionality on SonicWall firewalls are not affected by these security flaws.
As interim security measures, SonicWall advises enabling multi-factor authentication (MFA) as a crucial safeguard against credential theft. MFA can be implemented directly on the appliance or through organizational directory services. Additionally, organizations should activate the Web Application Firewall (WAF) feature on SMA100 devices to provide additional protection layers.
Discovery and Reporting
Security researcher Sina Kheirkhah from watchTower has been credited with discovering these vulnerabilities. As of now, SonicWall reports no evidence of active exploitation in the wild. However, due to the pre-authentication nature of these flaws, immediate patching is essential to maintain network security posture.
Conclusion
The discovery of these critical vulnerabilities in SonicWall’s SMA 100 series underscores the importance of proactive cybersecurity measures. Organizations utilizing these appliances should promptly upgrade to the recommended firmware version and implement the advised security measures to mitigate potential risks. Staying vigilant and keeping systems updated are crucial steps in safeguarding against emerging threats.
