Executive Summary

A critical zero-day vulnerability chain has been discovered and actively exploited in the wild, targeting SonicWallSecure Mobile Access (SMA) 1000 appliances. The attack leverages two distinct vulnerabilities: a pre-authentication deserialization flaw (CVE-2025-23006) and a local privilege escalation issue (CVE-2025-40602). When chained, these vulnerabilities enable unauthenticated remote attackers to achieve root-level code execution on affected devices, effectively granting full control over the appliance. Multiple security vendors and threat intelligence organizations have confirmed exploitation, with evidence pointing to sophisticated threat actors, including state-backed groups. SonicWall has released urgent patches and advisories, and immediate action is required to mitigate risk. This report provides a comprehensive technical analysis, threat actor profiling, exploitation details, victimology, and actionable mitigation guidance for organizations using SonicWall SMA 1000.

Threat Actor Profile

The exploitation of the SonicWall SMA 1000 zero-day chain has been attributed to advanced persistent threat (APT) actors, with some evidence suggesting state sponsorship. These actors are characterized by their high operational security, use of custom malware, and focus on high-value targets such as government agencies, critical infrastructure, and large enterprises. The tactics, techniques, and procedures (TTPs) observed in these attacks align with those previously documented in campaigns targeting remote access infrastructure, including VPN gateways and network edge devices. The threat actors demonstrate proficiency in chaining vulnerabilities, leveraging both pre-authentication and post-authentication flaws to maximize impact. While no specific APT group has been publicly named in connection with this campaign, the operational sophistication and targeting patterns are consistent with groups engaged in cyber espionage and ransomware deployment.

Technical Analysis of Malware/TTPs

The attack chain begins with exploitation of CVE-2025-23006, a critical deserialization of untrusted data vulnerability in the SonicWall SMA 1000 Appliance Management Console (AMC). This flaw allows remote, unauthenticated attackers to send specially crafted requests to the AMC, resulting in arbitrary operating system command execution as a low-privilege user. The vulnerability arises from improper handling of serialized objects, enabling attackers to inject malicious payloads that are deserialized and executed by the application.

Once initial access is obtained, attackers exploit CVE-2025-40602, a local privilege escalation vulnerability in the AMC. This issue is due to insufficient authorization checks, allowing authenticated users (including those with access gained via the first vulnerability) to escalate privileges to root. The combination of these vulnerabilities enables a full compromise of the appliance, bypassing all authentication and authorization controls.

Observed TTPs include targeting of internet-exposed AMC interfaces, use of custom malware for persistence (such as the OVERSTEP rootkit in related attacks on the SMA 100 series), and lateral movement within compromised environments. Attackers have been seen establishing reverse shells, deploying additional payloads, and exfiltrating sensitive configuration data. Detection is challenging due to the stealthy nature of the exploitation and the lack of public proof-of-concept (PoC) code, but indicators include unusual logins, privilege escalations, and unexpected processes running as root.

Exploitation in the Wild

Active exploitation of the SonicWall SMA 1000 zero-day chain was observed prior to the release of official patches, classifying this as a true zero-day incident. Security researchers and organizations such as Shadowserver have reported over 950 internet-exposed SMA 1000 appliances as of December 2025, highlighting the widespread risk. Attacks have been confirmed against large enterprises, government agencies, and critical infrastructure providers, with some incidents resulting in significant data breaches and operational disruption.

The exploitation process typically involves scanning for vulnerable appliances, delivering the deserialization payload to gain initial access, and immediately escalating privileges to root. In some cases, attackers have deployed custom malware to maintain persistence and facilitate further exploitation. The lack of public PoC code has not hindered threat actors, who appear to possess private exploit tools and detailed knowledge of the SonicWall SMA 1000 architecture.

Victimology and Targeting

Victims of this attack campaign include organizations across multiple sectors, with a focus on those relying on SonicWall SMA 1000 for secure remote access. Targeted sectors include government, critical infrastructure (such as energy and transportation), healthcare, finance, and large enterprises with distributed workforces. The global exposure of vulnerable appliances suggests that organizations in North America, Europe, Asia, and other regions are at risk. The targeting pattern indicates a preference for high-value entities where compromise of remote access infrastructure could yield significant intelligence or facilitate ransomware deployment.

Mitigation and Countermeasures

Immediate mitigation is essential to prevent exploitation of the SonicWall SMA 1000 zero-day chain. Organizations must upgrade to the fixed versions released by SonicWall: 12.4.3-03245 or later, and 12.5.0-02283 or later. Appliances running versions lower than these are vulnerable and should be patched without delay. As an interim measure, access to the AMC should be restricted to trusted IP addresses, and exposure to the public internet should be minimized.

Security teams should review AMC logs for signs of unusual logins, privilege escalations, and unexpected root-level processes. Network monitoring should be implemented to detect connections from untrusted sources to the AMC. Organizations are advised to conduct a thorough review of all remote access infrastructure, ensure multi-factor authentication is enabled, and apply the principle of least privilege to all administrative interfaces.

Incident response plans should be updated to account for the possibility of appliance compromise, and organizations should be prepared to perform forensic analysis and remediation in the event of a detected breach. Given the risk of rapid weaponization, ongoing monitoring for new exploit activity and threat intelligence updates is strongly recommended.

References

SonicWall PSIRT SNWLID-2025-0019: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0019 BleepingComputer: SonicWall zero-day exploited: https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-new-sma1000-zero-day-exploited-in-attacks/ Tenable Blog: CVE-2025-40602: https://www.tenable.com/blog/cve-2025-40602-sonicwall-secure-mobile-access-sma-1000-zero-day-exploited Cybereason: CVE-2025-23006: https://www.cybereason.com/blog/cve-2025-23006-sonicwall-critical-vulnerability Shadowserver Internet Exposure Stats: https://www.shadowserver.org/

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their extended supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify vulnerabilities, respond to emerging threats, and ensure compliance with industry standards. For more information about how Rescana can help secure your organization’s digital ecosystem, or for any questions regarding this advisory, please contact us at ops@rescana.com.