Patches for CVE-2025-40599, a critical vulnerability that involves an arbitrary file upload issue in Secure Mobile Access (SMA) 100 appliances' web management interface, were released by SonicWall and included in software version 10.2.2.1-90sv and 500v virtual products, SecurityWeek reports.
While no evidence yet that the vulnerability has been leveraged in attacks, the company urges organizations to secure their devices immediately to avoid falling victim to the Overstep malware, which could be exploited by attackers and could lead to remote code execution. Google found that compromised admin credentials were used by hackers to access and infect patched appliances. These credentials were likely acquired before the devices were patched and through the exploitation of CVE-2021-20035, CVE-2021-20038, CVE-2021-20039, CVE-2024-38475, and CVE-2025-32819. SonicWall advises organizations using the SMA 500v products to backup the Open Virtualization Archive (OVA) file, remove the virtual machine and all related files, download the company's new OVA and set up the file in a hypervisor, export configurations, and restore the configuration. Patches for CVE-2025-40596 and CVE-2025-40597, two buffer overflow issues that could lead to a denial-of-service condition, and CVE-2025-40598, a cross-site scripting defect that could lead to an arbitrary JavaScript code execution, were also announced by the company on July 23. These flaws can be exploited remotely and without authentication.
While no evidence yet that the vulnerability has been leveraged in attacks, the company urges organizations to secure their devices immediately to avoid falling victim to the Overstep malware, which could be exploited by attackers and could lead to remote code execution. Google found that compromised admin credentials were used by hackers to access and infect patched appliances. These credentials were likely acquired before the devices were patched and through the exploitation of CVE-2021-20035, CVE-2021-20038, CVE-2021-20039, CVE-2024-38475, and CVE-2025-32819. SonicWall advises organizations using the SMA 500v products to backup the Open Virtualization Archive (OVA) file, remove the virtual machine and all related files, download the company's new OVA and set up the file in a hypervisor, export configurations, and restore the configuration. Patches for CVE-2025-40596 and CVE-2025-40597, two buffer overflow issues that could lead to a denial-of-service condition, and CVE-2025-40598, a cross-site scripting defect that could lead to an arbitrary JavaScript code execution, were also announced by the company on July 23. These flaws can be exploited remotely and without authentication.
