CVE-2025-40601 – SonicOS SSLVPN DoS Crashes Remote Firewalls

CVE-2025-40601 is a stack-based buffer overflow in the SonicOS SSLVPN service that allows remote unauthenticated attackers to trigger denial-of-service (DoS) conditions and crash SonicWall firewalls. By sending crafted input to the public SSLVPN interface, an adversary can overwrite memory in the SSLVPN process and in some cases halt the entire firewall, causing repeated outages at the network perimeter. Although SonicWall reports no active exploitation at disclosure time, the low attack complexity and ease of remote targeting map this flaw to MITRE ATT&CK T1190 (Exploit Public-Facing Application) and T1499 (Endpoint Denial of Service). The vulnerability affects SonicWall Gen7 TZ, NSa, and NSsp appliances running SonicOS 7.3.0–7012 and earlier, as well as NSv virtual firewalls on ESX, KVM, Hyper-V, AWS and Azure using the same versions. Gen8 devices in the TZ and NSa families are impacted on firmware 8.0.2–8011 and older, while Gen6 and SMA 100/1000 SSLVPN appliances are not affected. Because the attack requires only network access to the SSLVPN port and no authentication or user interaction, a single host can script repeated exploit attempts to crash edge devices and create sustained VPN outages. From a business lens, a successful DoS against SonicWall perimeter devices disrupts remote access, branch connectivity and potentially inter-datacenter links, impacting hybrid workforces and cloud connectivity. For regulated industries like financial services and healthcare, extended VPN outages may impede access to critical applications and records, undermining service-level commitments and raising operational risk. While CVE-2025-40601 does not directly enable code execution or data theft, disruption-focused threat actors including ransomware gangs could chain it into extortion playbooks by causing repeated availability incidents and demanding payment to cease attacks. SonicWall has released patched firmware versions SonicOS 7.3.1–7013 and 8.0.3–8011 that remediate the buffer overflow. Organizations should inventory all Gen7 and Gen8 SonicWall deployments, prioritize upgrades for internet-facing SSLVPN endpoints and consider temporarily restricting SSLVPN exposure to trusted IP ranges. As compensating controls, placing SSLVPN behind secure access gateways, enabling IDS/IPS signatures for anomalous SSLVPN traffic, and configuring redundant or failover firewalls can reduce the blast radius of potential DoS attempts while patching is underway.