Attackers are actively exploiting CVE-2025-40599, a critical vulnerability in SonicWall’s Secure Mobile Access (SMA) devices, to upload arbitrary files and gain unauthorized access. This flaw enables them to execute malicious code and compromise affected systems. The Akira ransomware group is exploiting this vulnerability to infiltrate networks, putting SonicWall users at serious risk. Review this Cybersecurity Threat Advisory to mitigate your risks.
What is the threat?
CVE-2025-40599 enables attackers to upload arbitrary files to vulnerable SonicWall SMA devices, potentially granting unauthorized access and control over affected systems. By exploiting this flaw, attackers can deploy malicious scripts or executables and execute arbitrary code, leading to full device and network compromise. This opens the door to further attacks, including data exfiltration, system manipulation, and the deployment of additional malware such as ransomware. Notably, the Akira ransomware group—known for its sophisticated and targeted tactics—has been observed leveraging this vulnerability to gain initial access to networks.
Why is it noteworthy?
This vulnerability has a CVSS score of 9.1 and it is actively exploited in the wild. Organizations using affected SonicWall devices face elevated risks of severe security incidents, including data loss and operational disruption. The ability to chain this vulnerability with others amplifies the threat, making prompt remediation essential.
What is the exposure or risk?
CVE-2025-40599 poses a significant risk to organizations using vulnerable SonicWall firewalls. This flaw enables attackers to upload arbitrary files, potentially granting unauthorized access to sensitive systems and data. Once exploited, it can lead to the deployment of ransomware or other malicious software, resulting in data breaches and operational disruptions such as downtime and loss of critical services.
Indicators of compromise (IoCs) may include suspicious file extensions like .php, .jsp, .asp/.aspx, .exe/.bat/.sh, and .pl/.py/.ps1, as well as unusual outbound traffic to known malicious IPs or domains linked to ransomware groups.
What are the recommendations?
Barracuda recommends the following actions to limit the impact of CVE-2025-40599:
- Update to the latest available versions of SonicWall SMA devices.
- Review and strengthen access controls to ensure that only authorized personnel can access critical systems and sensitive resources.
- Implement robust monitoring and logging practices to detect unauthorized access attempts and identify suspicious activities in real time.
- Ensure a comprehensive incident response plan is in place to effectively address potential exploitation of these vulnerabilities and minimize impact.
- Educate users on the importance of strong security practices and the risks associated with privilege escalation to promote a security-aware culture.
References
For more in-depth information about the recommendations, please visit the following links:
- https://cvefeed.io/vuln/detail/CVE-2025-40599
- https://www.bleepingcomputer.com/news/security/surge-of-akira-ransomware-attacks-hits-sonicwall-firewall-devices/
- https://thehackernews.com/2025/08/akira-ransomware-exploits-sonicwall.html
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
