SonicWall SonicOS SSLVPN Stack-Based Buffer Overflow Vulnerability
Summary
Hide ▲
Show ▼
SonicWall has disclosed a high-severity stack-based buffer overflow vulnerability (CVE-2025-40601) in SonicOS SSLVPN that allows unauthenticated attackers to cause a denial-of-service (DoS) condition, crashing affected firewalls. The flaw impacts Gen8 and Gen7 hardware and virtual firewalls. SonicWall has not observed active exploitation and urges users to apply patches or mitigate the risk by disabling the SSLVPN service or restricting access to trusted sources. Additionally, SonicWall patched two vulnerabilities in its Email Security appliances that could lead to arbitrary code execution and information disclosure.
Timeline
-
20.11.2025 17:56 1 articles · 23h ago
SonicWall discloses high-severity SSLVPN vulnerability and patches Email Security flaws
SonicWall disclosed a high-severity stack-based buffer overflow vulnerability (CVE-2025-40601) in SonicOS SSLVPN that can cause firewalls to crash. The company has not observed active exploitation but urges users to apply patches or mitigate the risk. Additionally, SonicWall patched two vulnerabilities in its Email Security appliances that could lead to arbitrary code execution and information disclosure.
Show sources
- New SonicWall SonicOS flaw allows hackers to crash firewalls — www.bleepingcomputer.com — 20.11.2025 17:56
Information Snippets
-
CVE-2025-40601 is a stack-based buffer overflow in SonicOS SSLVPN that allows unauthenticated remote attackers to cause a DoS condition.
First reported: 20.11.2025 17:561 source, 1 articleShow sources
- New SonicWall SonicOS flaw allows hackers to crash firewalls — www.bleepingcomputer.com — 20.11.2025 17:56
-
Affected platforms include Gen8 and Gen7 hardware and virtual firewalls, while Gen6 firewalls and SMA 1000/100 series SSL VPN products are not vulnerable.
First reported: 20.11.2025 17:561 source, 1 articleShow sources
- New SonicWall SonicOS flaw allows hackers to crash firewalls — www.bleepingcomputer.com — 20.11.2025 17:56
-
SonicWall has not observed active exploitation or public proof-of-concept (PoC) exploits for CVE-2025-40601.
First reported: 20.11.2025 17:561 source, 1 articleShow sources
- New SonicWall SonicOS flaw allows hackers to crash firewalls — www.bleepingcomputer.com — 20.11.2025 17:56
-
Mitigation steps include applying patches, disabling the SSLVPN service, or restricting access to trusted sources.
First reported: 20.11.2025 17:561 source, 1 articleShow sources
- New SonicWall SonicOS flaw allows hackers to crash firewalls — www.bleepingcomputer.com — 20.11.2025 17:56
-
Two additional vulnerabilities (CVE-2025-40604 and CVE-2025-40605) were patched in SonicWall Email Security appliances, enabling remote code execution and information disclosure.
First reported: 20.11.2025 17:561 source, 1 articleShow sources
- New SonicWall SonicOS flaw allows hackers to crash firewalls — www.bleepingcomputer.com — 20.11.2025 17:56
-
SonicWall confirmed a state-sponsored hacking group was behind a September breach that exposed customer firewall configuration backup files.
First reported: 20.11.2025 17:561 source, 1 articleShow sources
- New SonicWall SonicOS flaw allows hackers to crash firewalls — www.bleepingcomputer.com — 20.11.2025 17:56