CVE-2025-40604

CRITICAL

Sonicwall Email Security Appliance 50... - Download Without Integrity Check

Title source: rule

Description

Download of Code Without Integrity Check Vulnerability in the SonicWall Email Security appliance loads root filesystem images without verifying signatures, allowing attackers with VMDK or datastore access to modify system files and gain persistent arbitrary code execution.

References (1)

[Vendor Advisory] https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0018

Scores

CVSS v3 9.8

EPSS 0.0003

EPSS Percentile 7.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-494

Status published

Affected Products (5)

sonicwall/email_security_appliance_5000_firmware < 10.0.33.8195

sonicwall/email_security_appliance_5050_firmware < 10.0.33.8195

sonicwall/email_security_appliance_7000_firmware < 10.0.33.8195

sonicwall/email_security_appliance_7050_firmware < 10.0.33.8195

sonicwall/email_security_appliance_9000_firmware < 10.0.33.8195

Timeline

Published Nov 20, 2025

Tracked Since Feb 18, 2026