CVE-2025-40604

Published: Nov 20, 2025Modified: Dec 12, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Download of Code Without Integrity Check Vulnerability in the SonicWall Email Security appliance loads root filesystem images without verifying signatures, allowing attackers with VMDK or datastore access to modify system files and gain persistent arbitrary code execution.

Affected (5)

Products: Sonicwall: Email Security Appliance 5000 Firmware, Email Security Appliance 5050 Firmware, Email Security Appliance 7000 Firmware, Email Security Appliance 7050 Firmware, Email Security Appliance 9000 Firmware

Sonicwall

5 products

Email Security Appliance 5000 Firmware

Email Security Appliance 5050 Firmware

Email Security Appliance 7000 Firmware

Email Security Appliance 7050 Firmware

Email Security Appliance 9000 Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Sonicwall Email Security Appliance 5000 Firmware	Up to 10.0.33.8195

Running on/with	Platform Versions
Sonicwall Email Security Appliance 5000	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Sonicwall Email Security Appliance 5050 Firmware	Up to 10.0.33.8195

Running on/with	Platform Versions
Sonicwall Email Security Appliance 5050	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Sonicwall Email Security Appliance 7000 Firmware	Up to 10.0.33.8195

Running on/with	Platform Versions
Sonicwall Email Security Appliance 7000	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Sonicwall Email Security Appliance 7050 Firmware	Up to 10.0.33.8195

Running on/with	Platform Versions
Sonicwall Email Security Appliance 7050	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Sonicwall Email Security Appliance 9000 Firmware	Up to 10.0.33.8195

Running on/with	Platform Versions
Sonicwall Email Security Appliance 9000	All versions

Related CWEs

CWE-494

Download of Code Without Integrity Check

The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

References (1)

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0018

Source: PSIRT@sonicwall.com

Vendor Advisory

Timeline

No history available yet.