Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: SonicWall's Secure Mobile Access 100 series, Patch Immediately!
Image
Published : 26/07/2025
- Last update: 25/07/2025
- Affected software: SonicWall SMA100
→ 10.2.1.15-81sv and earlier versions- Type: Remote Code Execution & Cross-Site Scripting (XSS)
- CVE/CVSS
→ CVE-2025-40596: CVSS 7.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
→ CVE-2025-40597: CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
→ CVE-2025-40598: CVSS 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
→ CVE-2025-40599: CVSS 9.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
Sources
SonicWall - https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0012
Risks
Multiples new vulnerabilities in SonicWall SMA100 (version 10.2.1.15-81sv and earlier) allow attackers to execute unauthorized code and inject malicious scripts, potentially compromising secure remote access environments.
SonicWall SMA100 is a widely deployed secure mobile access appliance used by enterprises to provide encrypted remote connectivity for employees, partners, and vendors. It plays a critical role in enabling secure remote work and maintaining access to sensitive internal resources.
If exploited, these vulnerabilities could lead to unauthorized remote code execution and cross-site scripting (XSS), allowing attackers to bypass security controls, steal sensitive data, and disrupt core operations. The impact spans confidentiality, integrity, and availability risking data breaches, full system compromise, and operational downtime.
Description
A set of critical security vulnerabilities has been identified in SonicWall SMA100 series, affecting versions 10.2.1.15-81sv and earlier. These vulnerabilities include buffer overflows, reflected cross-site scripting, and an authenticated arbitrary file upload, collectively exposing affected systems to remote code execution (RCE) and unauthorized script injection.
CVE-2025-40596 – Stack-Based Buffer Overflow (Pre-Auth RCE):
A critical stack-based buffer overflow vulnerability in the SMA100 web interface allows remote unauthenticated attackers to send crafted input that causes memory corruption.
This may result in a denial of service (DoS) or lead to remote code execution.
CVE-2025-40597 – Heap-Based Buffer Overflow (Pre-Auth RCE):
A heap-based buffer overflow vulnerability also exists in the web interface. Exploitation requires no authentication and enables remote attackers to cause a crash or potentially execute arbitrary code within the context of the appliance.
CVE-2025-40598 – Reflected Cross-Site Scripting (XSS):
This reflected XSS vulnerability allows unauthenticated attackers to inject malicious scripts into a victim’s browser via specially crafted links. Successful exploitation could result in session hijacking, credential theft, or manipulation of interface elements.
CVE-2025-40599 – Authenticated Arbitrary File Upload (RCE):
An authenticated arbitrary file upload vulnerability in the SMA100 web management interface allows an attacker with administrator privileges to upload malicious files, leading to remote code execution.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.