Emergency Security Bulletin: SonicWall SMA 100 Series Authenticated Arbitrary File Upload Vulnerability

About:

RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.

VULNERABILITIES

SonicWall SMA 100 Series Authenticated Arbitrary File Upload Vulnerability

CVSS Score: 9.1 (Critical)
Identifier: CVE‑2025‑40599
Exploit or POC: No confirmed public exploit
Update:  CVE‑2025‑40599 – SonicWall Security Advisory SNWLID‑2025‑0014

Description: CVE‑2025‑40599 is a critical vulnerability affecting SonicWall Secure Mobile Access (SMA) 100 Series appliances, specifically SMA 210, 410, and 500v running firmware versions 10.2.1.15‑81sv or earlier. The flaw is an authenticated arbitrary file upload issue in the SMA web management interface, permitting an administrative user to upload arbitrary files to the system. This can lead to remote code execution when combined with other actions or backdoor deployment.

Mitigation Recommendation: 

• Immediately update SMA 100 Series appliances to firmware version 10.2.2.1‑90sv or later. This is the only release known to address CVE‑2025‑40599.
• For virtual appliances (SMA 500v), rebuild from clean VM images: export configs, delete the old VM and disks, deploy a fresh SMA image, and reapply configurations.
• Rotate all administrator passwords and reinitialize One-Time Password (OTP) bindings, even after patching.
• Disable remote management on external‑facing interfaces (e.g. X1) where not needed.
• Enforce Multi‑Factor Authentication (MFA) for all administrator and user access.
• Enable Web Application Firewall (WAF) on appliance management interfaces.