CVE-2025-40602

CVE-2025-40602

Vendor Sonicwall
Product SMA1000
Weakness CWE-862 · Missing authorization
KEV Status Known Exploited
Published December 18, 2025
Last update December 18, 2025

CVSS base score

What the vulnerability does

01Description

A local privilege escalation vulnerability due to insufficient authorization in the SonicWall SMA1000 appliance management console (AMC).

CISA mandated remediation

02CISA Required Action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable

Key dates

03Disclosure timeline

December 18, 2025 CVE published
December 18, 2025 Record updated