CVE-2025-40604

Download of Code Without Integrity Check Vulnerability in the SonicWall Email Security appliance loads root filesystem images without verifying signatures, allowing attackers with VMDK or datastore access to modify system files and gain persistent arbitrary code execution.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
sonicwallCNA
---
---
CISA-ADPADP
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 6%
VendorProductVersion
sonicwallemail_security_appliance_5000_firmware
𝑥
≤ 10.0.33.8195
sonicwallemail_security_appliance_5050_firmware
𝑥
≤ 10.0.33.8195
sonicwallemail_security_appliance_7000_firmware
𝑥
≤ 10.0.33.8195
sonicwallemail_security_appliance_7050_firmware
𝑥
≤ 10.0.33.8195
sonicwallemail_security_appliance_9000_firmware
𝑥
≤ 10.0.33.8195
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0018