SonicWall this week rolled out fixes for high-severity vulnerabilities that may enable attackers to crash firewalls or execute arbitrary recordsdata on Electronic mail Safety home equipment.
Over 30 SonicWall Gen7 and Gen8 firewalls are affected by a stack-based buffer overflow bug within the SonicOS SSL VPN service that could possibly be exploited remotely, with out authentication, to trigger a denial-of-service (DoS) situation resulting in system crashes.
Tracked as CVE-2025-40601 (CVSS rating of seven.2), the problem impacts solely firewalls which have the SonicOS SSLVPN interface or service enabled.
The weak spot was resolved with the discharge of SonicOS variations 7.3.1-7013 and eight.0.2-8011. SonicWall Gen6 firewalls and the SMA 1000 and SMA 100 collection home equipment are usually not affected.
Till they will apply the newly launched fixes, prospects are suggested to restrict SonicOS SSL VPN entry to trusted supply IP addresses, and disable entry from untrusted sources.
SonicWall’s Electronic mail Safety home equipment acquired fixes for 2 safety defects, together with a high-severity flaw that enables attackers to switch system recordsdata and acquire arbitrary code execution.
The primary vulnerability, tracked as CVE-2025-40604 (CVSS rating of seven.2), exists as a result of the home equipment don’t confirm the signature of loaded root filesystem pictures.
The second bug, CVE-2025-40605 (CVSS rating of 4.9), is described as a path traversal concern that may be exploited to control file system paths.Commercial. Scroll to proceed studying.
An attacker can set off the flaw “by injecting crafted directory-traversal sequences (reminiscent of ../) and will entry recordsdata and directories exterior the supposed restricted path”, SonicWall explains.
SonicWall addressed the safety defect in Electronic mail Safety 5000, 5050, 7000, 7050, 9000, VMWare, and Hyper-V home equipment with model 10.0.34.8215.
The corporate says it’s not conscious of any of those vulnerabilities being exploited within the wild. Extra info could be discovered on SonicWall’s safety advisories web page.
Associated: SolarWinds Patches Three Vital Serv-U Vulnerabilities
Associated: Chrome 142 Replace Patches Exploited Zero-Day
Associated: State-Sponsored Hackers Stole SonicWall Cloud Backups in Current Assault
Associated: SonicWall SSL VPN Accounts in Attacker Crosshairs
