Critical Vulnerabilities Found in SonicWall Appliances: What You Need to Know

Security researchers have uncovered multiple severe vulnerabilities affecting SonicWall's SMA100 series appliances, sending a wave of concern through IT and cybersecurity teams worldwide. These flaws—ranging from buffer overflows to cross-site scripting (XSS)—can be exploited even before a user logs in, making them particularly dangerous.

If your organization uses SonicWall SMA devices, it's time to pay attention.

What's the Problem?

Three vulnerabilities were discovered in SonicWall's SMA100 appliances, specifically affecting models SMA 210, 410, and 500v running firmware version 10.2.1.15-81sv or earlier. These bugs have been formally assigned CVEs:

CVE-2025-40596 – Pre-Authentication Stack Buffer Overflow

CVE-2025-40597 – Heap Overflow in HTTP Reverse Proxy Module

CVE-2025-40598 – Reflected Cross-site Scripting (XSS) Vulnerability

These issues highlight persistent weaknesses in how some network appliances handle user input—leading to serious risks for organizations if left unpatched.

Digging Deeper Into the Vulnerabilities

1. Stack Buffer Overflow (CVE-2025-40596)

This flaw has a CVSS 3.1 score of 7.3 and occurs before authentication. A specially crafted HTTP request to the __api__ endpoint can trigger a classic stack overflow due to unsafe handling of user data by the SSL-VPN service's HTTP daemon. The vulnerability stems from poor input validation using an unsafe sscanf function.

Even though modern systems implement stack protection, this type of vulnerability could still pose a serious risk, particularly because it doesn't require prior login credentials.

2. Heap Overflow (CVE-2025-40597)

This bug ranks even higher with a CVSS score of 7.5. It's located in the reverse proxy module (mod_httprp.so) that handles HTTP headers. In this case, even though developers tried to use safer coding methods (__sprintf_chk), they passed an invalid size parameter, effectively bypassing bounds checking. A simple request with a long Host header can trigger this heap overflow and potentially corrupt memory in dangerous ways.

3. Reflected Cross-site Scripting (CVE-2025-40598)

While slightly less severe with a CVSS score of 6.1, this reflected XSS flaw is still concerning. Found in the radiusChallengeLogin endpoint, it allows malicious scripts to be injected into responses using unsanitized state parameters. The attack doesn't require authentication and can be exploited by tricking a user into clicking a malicious link.

Who's Affected?

If you're running any of the following on firmware version 10.2.1.15-81sv or earlier, your systems are at risk:

SonicWall SMA 210

SonicWall SMA 410

SonicWall SMA 500v

It's worth noting that SMA1000 series products and SSL-VPN features on SonicWall firewalls are not affected.

What Should You Do? Update Immediately

SonicWall has released an updated firmware version—10.2.2.1-90sv—to address all three vulnerabilities. Upgrading should be your top priority.

Enable Multi-Factor Authentication (MFA)

While you patch, it's highly recommended to enable MFA, either directly on the appliance or through your organization's identity system. This adds an essential layer of protection against credential theft.

Activate Web Application Firewall (WAF)

Turning on the WAF feature in SMA100 devices can help mitigate some attack vectors and provide added security while patching is underway.

Stay Calm but Vigilant

As of now, SonicWall reports no confirmed cases of active exploitation. But given the vulnerabilities are pre-authentication, it's critical to act fast to reduce exposure.

Final Thoughts

These flaws serve as yet another reminder that even hardened network devices aren't immune to programming errors. For businesses relying on SonicWall for secure remote access, prompt updates and basic best practices like MFA can make the difference between staying safe or falling victim.