CVE-2025-40600

Critical

Published: 29 July 2025

Published

29 July 2025

Modified

11 August 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0012 29.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-40600 is a critical-severity Use of Externally-Controlled Format String (CWE-134) vulnerability in Sonicwall Sonicos. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the format string flaw in the SonicOS SSL VPN interface via vendor-provided patches in advisory SNWLID-2025-0013.

SI-10 Information Input Validation good match

prevent

Enforces validation of externally-controlled inputs to the SSL VPN interface, preventing exploitation of the format string vulnerability (CWE-134).

SI-11 Error Handling partial match

prevent

Implements secure error handling to mitigate service disruption and potential information disclosure from format string errors without compromising availability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Format string flaw in public SSL VPN interface enables unauthenticated remote exploitation (T1190) that directly produces application/service DoS via memory corruption (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Use of Externally-Controlled Format String vulnerability in the SonicOS SSL VPN interface allows a remote unauthenticated attacker to cause service disruption.

Deeper analysisAI

CVE-2025-40600 is a Use of Externally-Controlled Format String vulnerability (CWE-134) present in the SonicOS SSL VPN interface of SonicWall SonicOS devices. Published on 2025-07-29, it has been assigned a CVSS v3.1 base score of 9.8 (Critical), reflecting its network accessibility (AV:N), low attack complexity (AC:L), lack of required privileges (PR:N), and absence of user interaction (UI:N), with high impacts across confidentiality (C:H), integrity (I:H), and availability (A:H) and no change in scope (S:U).

A remote unauthenticated attacker can exploit this vulnerability to cause service disruption on affected SonicOS SSL VPN interfaces. The attack requires no authentication or privileges and can be executed over the network with low complexity and no user interaction, potentially leading to high-severity impacts including data exposure, modification, and denial of service.

SonicWall has published a corresponding advisory under identifier SNWLID-2025-0013, available at https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0013, which security practitioners should consult for details on patches, workarounds, and mitigation recommendations.