Week 31 – Critical VPN Flaw Hits SonicWall: Patch Now!
28 July – 03 Aug 2025
SonicWall has issued an urgent advisory regarding a newly discovered critical vulnerability — CVE-2025-40600, now spotlighted as this week’s CVE of the Week.
This flaw affects the SSL VPN interface of the SonicOS firewall operating system, and it demands immediate attention from IT and security teams.
Vulnerability Summary CVE-2025-40600 is a Use of Externally-Controlled Format String vulnerability (CWE-134) that allows unauthenticated remote attackers to disrupt services by injecting malicious input into the VPN interface. The result: Potential denial-of-service (DoS) attacks that can cripple remote access and network availability.
With no user interaction required and high exploitability, this vulnerability is a prime target for automated attacks and botnets. Vulnerabilities of this nature pose a significant threat when present in perimeter devices such as firewalls, which serve as the frontline defense in safeguarding organizational networks from external threats.
In this case, the flaw directly impacts Gen7 SonicWall firewall appliances, including both hardware-based and virtual deployments, making a broad range of systems potentially vulnerable.
The flaw was published on July 29, 2025 and has been assigned a CVSS score of 9.8, indicating a critical level of severity. It affects SonicOS versions 7.2.0-7015 and earlier, putting these systems at significant risk if left unpatched.
Mitigation Steps:
Patch immediately using the official SonicWall advisory: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0013
Monitor VPN traffic for suspicious input patterns, apply input validation and consider temporary access restrictions if patching is delayed.
White Hat IT Security is a Europe-based Managed Security Services Provider (MSSP) and proud Microsoft Solution Partner. Its Microsoft-verified managed security solutions (MXDR) reflect their deep expertise and commitment to excellence in cybersecurity. The company was awarded the Partner of the Year Hungary Award by Microsoft in 2024.
With the largest incident response capacity in the CEE region, they’re trusted by organizations to deliver fast, effective, and proactive protection. Their portfolio includes penetration testing, vulnerability assessments, managed Cyber Threat Intelligence, as well as Governance, Risk and Compliance (GRC) consulting and specialized security training.
They are committed to supporting professional initiatives that aim to raise cybersecurity awareness and maturity—both for individuals and organizations. They regularly contribute to the community through knowledge sharing, education, and outreach, helping to build a safer digital future for all.