Critical File Upload Vulnerability in SonicWall SMA 100 Series

A severe post-authentication vulnerability, tracked as CVE-2025-40599, has been disclosed in SonicWall’s SMA 100 Series appliances. This flaw allows an attacker with valid administrative credentials to upload arbitrary files to the system, opening the door to potential remote code execution (RCE). The vulnerability was reported collaboratively by Dawid Skomski from SonicWall PSIRT and Zander Work of the Google Threat Intelligence Group (GTIG).

Severity Level: Critical

Vulnerability Details

• CVE ID: CVE-2025-40599
• CWE: CWE-434 – Unrestricted Upload of File with Dangerous Type
• CVSS Score: 9.1
• Privileges Required: High (Administrator-level access)
• Affects SMA 100 Series (models: 210, 410, 500v) –versions 10.2.1.15-81sv and earlier

The lack of adequate checks on file types and paths within the upload handler of the SMA 100 Series web interface is the root cause. The system fails to enforce strict validation on file extensions or file contents, leading to an unrestricted file upload scenario.

Exploitation Of The Vulnerabilities

• Requires authenticated administrator access.
• The attacker uploads a malicious script or binary through the SMA web interface.
• The uploaded file resides in a web-accessible or executable directory.
• Execution of the malicious file leads to complete system compromise.
• No user interaction (UI:N) is required beyond authentication.

At present, there is no evidence of exploitation in the wild, but GTIG has issued caution based on potential abuse scenarios seen in similar vulnerabilities.

Recommendations

1. SonicWall strongly recommends that users of the SMA 100 series products (SMA 210, 410, and 500v) upgrade to the specified fixed release version to remediate this vulnerability.
Fixed versions: 10.2.2.1-90sv and higher

2. All organizations with deployments of the SMA 100 series appliance (whether virtual or physical) must perform a thorough analysis of the system to determine if any following indicators of compromise are present:

• Unexpected binaries within the persistent /cf directory or within INITRD files, especially in the /usr/lib directory. GTIG observed OVERSTEP residing in these directories.
• Presence of the file /etc/ld.so.preload on a disk image. This file should not exist on a standard SMA appliance, and the rootkit will hide it from a live system.
• Malicious modifications to RC scripts, most notably the /etc/rc.d/rc.fwboot script.
• Files with irregular timestamps within the INITRD image (/cf/firmware/).
• Web requests to the appliance containing dobackshell or dopasswords in the URL query.
• Appliance event logs showing VPN sessions from external IP addresses (especially from low-reputation networks like BLNWX) using administrator accounts.
• Outbound HTTP network traffic from the appliance to external IP addresses.
• Log entries for Current settings exported, Current settings imported, or Clear all logs manually occurring outside of scheduled maintenance windows.
• Irregular activity or threats within other log files from the appliances, including from inside the FLASH.DAT files (current and backup).
• Evidence of lateral movement, primarily over Secure Shell (SSH), from the SMA appliance to other systems in the environment.

If any signs of compromise are detected, please contact SonicWall Support immediately for assistance.

3. To mitigate this risk and restore operational integrity for virtual product SMA 500v, refer the SonicWall advisory (https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0014) for mitigation steps.

4. SonicWall recommends following additional measures for all SMA 100 Series appliance:

• Disable remote management access on the external-facing interface (X1) to reduce the attack surface. For detailed steps, refer to the SMA 100 Administrator Guide.
• Reset all passwords and reinitialize OTP (One-Time Password) binding for users and administrators on the appliance.
• Enforce multi-factor authentication (MFA) for all users.
• Enable WAF on SMA100.

Source:

• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0014
• https://cloud.google.com/blog/topics/threat-intelligence/sonicwall-secure-mobile-access-exploitation-overstep-backdoor

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.