SonicWall warned customers to patch a vulnerability in its SMA1000 Appliance Management Console (AMC) as soon as possible after it was chained in zero-day attacks to escalate privileges.
The flaw, tracked as CVE-2025-40602, is a missing authorization issue, which exists due to lack of authorization checks in the appliance management console (AMC). A remote authenticated user can obtain root privileges on the system. The vulnerability was used in the wild along with a critical pre-authentication deserialization vulnerability (CVE-2025-23006) to achieve remote unauthenticated code execution with root privileges.
SonicWall patched CVE-2025-23006 in build version 12.4.3-02854 and later releases issued on January 22, 2025.
According to stats from internet monitoring group Shadowserver more than 950 SMA1000 appliances are currently exposed online, though some may already be patched. The SMA1000 is widely used by large organizations to provide secure remote VPN access to corporate networks.
Separately, Cisco also warned customers of an actively exploited, critical vulnerability affecting Cisco AsyncOS on Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances.
The unpatched flaw, tracked as CVE-2025-20393, impacts appliances with non-standard configurations where the Spam Quarantine feature is enabled and exposed to the internet. Cisco Talos attributed the attacks to a suspected Chinese threat group known as UAT-9686, which has been observed executing arbitrary commands as root and deploying persistent backdoors, including AquaShell, AquaTunnel, and Chisel, along with a log-wiping tool called AquaPurge.
Cisco said the campaign has been active since at least late November 2025, although it was first detected on December 10. While patches are not yet available, Cisco advised administrators to reduce exposure by restricting internet access, limiting connections to trusted hosts, and placing affected appliances behind firewalls.