CVE-2025-40604

medium

Description

Download of Code Without Integrity Check Vulnerability in the SonicWall Email Security appliance loads root filesystem images without verifying signatures, allowing attackers with VMDK or datastore access to modify system files and gain persistent arbitrary code execution.

References

Advisories
References

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0018

https://www.securityweek.com/sonicwall-patches-high-severity-flaws-in-firewalls-email-security-appliance/

https://www.bleepingcomputer.com/news/security/new-sonicwall-sonicos-flaw-allows-hackers-to-crash-firewalls/

Details

Source: Mitre, NVD

Published: 2025-11-20

Updated: 2025-11-21

Risk Information

CVSS v2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Severity: Medium

EPSS

EPSS: 0.00015