New Sonicwall SonicOS Flaw Allows Hackers to Crash Firewalls
Summary:
SonicWall has issued patches for a high-severity SonicOS SSLVPN vulnerability CVE-2025-40601 affecting Gen7 and Gen8 firewalls, both hardware and virtual. The flaw is a stack-based buffer overflow in the SSLVPN service that allows a remote, unauthenticated attacker to trigger a denial-of-service condition and crash the firewall. While there is no evidence of exploitation, no public PoC, and no reports of malicious use, SonicWall is urging immediate patching due to ongoing targeting of their appliances by both criminal and state-sponsored actors. The vulnerability does not affect Gen6 firewalls or SMA 1000 / SMA 100 series.
Security Officer Comments:
This advisory highlights the ongoing fragility of SSLVPN and edge-device ecosystems, where even non-code-execution vulnerabilities can have outsized operational impact. A remotely triggerable crash on a perimeter firewall is not a trivial event, an attacker could disrupt traffic, force failover, interrupt monitoring tools, or degrade visibility during a broader intrusion attempt. While there is no exploitation yet, threat actors routinely weaponize SonicWall vulnerabilities once patches are announced, making timely updates essential.
Suggested Corrections:
Patch immediately to the fixed versions.
Until the patches can be applied, SonicWall PSIRT strongly recommends that administrators limit SonicOS SSLVPN access to trusted sources (and/or disable firewall SSLVPN service from untrusted internet sources) by modifying the existing SonicOS SSLVPN access rules. This will only allow access from trusted source IP addresses. Review system logs and device configurations for signs of tampering, especially given recent SonicWall-targeted intrusions.
Link(s):
https://www.bleepingcomputer.com/ne...nicos-flaw-allows-hackers-to-crash-firewalls/
SonicWall has issued patches for a high-severity SonicOS SSLVPN vulnerability CVE-2025-40601 affecting Gen7 and Gen8 firewalls, both hardware and virtual. The flaw is a stack-based buffer overflow in the SSLVPN service that allows a remote, unauthenticated attacker to trigger a denial-of-service condition and crash the firewall. While there is no evidence of exploitation, no public PoC, and no reports of malicious use, SonicWall is urging immediate patching due to ongoing targeting of their appliances by both criminal and state-sponsored actors. The vulnerability does not affect Gen6 firewalls or SMA 1000 / SMA 100 series.
Security Officer Comments:
This advisory highlights the ongoing fragility of SSLVPN and edge-device ecosystems, where even non-code-execution vulnerabilities can have outsized operational impact. A remotely triggerable crash on a perimeter firewall is not a trivial event, an attacker could disrupt traffic, force failover, interrupt monitoring tools, or degrade visibility during a broader intrusion attempt. While there is no exploitation yet, threat actors routinely weaponize SonicWall vulnerabilities once patches are announced, making timely updates essential.
Suggested Corrections:
Patch immediately to the fixed versions.
Until the patches can be applied, SonicWall PSIRT strongly recommends that administrators limit SonicOS SSLVPN access to trusted sources (and/or disable firewall SSLVPN service from untrusted internet sources) by modifying the existing SonicOS SSLVPN access rules. This will only allow access from trusted source IP addresses. Review system logs and device configurations for signs of tampering, especially given recent SonicWall-targeted intrusions.
Link(s):
https://www.bleepingcomputer.com/ne...nicos-flaw-allows-hackers-to-crash-firewalls/