CVE-2025-40604
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Tags
Description
Download of Code Without Integrity Check Vulnerability in the SonicWall Email Security appliance loads root filesystem images without verifying signatures, allowing attackers with VMDK or datastore access to modify system files and gain persistent arbitrary code execution.
Analysis
Download of Code Without Integrity Check Vulnerability in the SonicWall Email Security appliance loads root filesystem images without verifying signatures, allowing attackers with VMDK or datastore. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical Context
This vulnerability is classified under CWE-494. Download of Code Without Integrity Check Vulnerability in the SonicWall Email Security appliance loads root filesystem images without verifying signatures, allowing attackers with VMDK or datastore access to modify system files and gain persistent arbitrary code execution. Affected products include: Sonicwall Email Security Appliance 5000 Firmware, Sonicwall Email Security Appliance 5050 Firmware, Sonicwall Email Security Appliance 7000 Firmware, Sonicwall Email Security Appliance 7050 Firmware, Sonicwall Email Security Appliance 9000 Firmware.
Affected Products
Sonicwall Email Security Appliance 5000 Firmware, Sonicwall Email Security Appliance 5050 Firmware, Sonicwall Email Security Appliance 7000 Firmware, Sonicwall Email Security Appliance 7050 Firmware, Sonicwall Email Security Appliance 9000 Firmware.
Remediation
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today