CVE-2025-40602 is a local privilege escalation vulnerability in the appliance management console (AMC) of SonicWall Secure Mobile Access (SMA) 1000 series appliances. The vulnerability stems from insufficient authorization in the AMC, allowing authenticated remote attackers to escalate privileges on affected devices. When chained with CVE-2025-23006, attackers can achieve unauthenticated remote code execution with root privileges. This zero-day vulnerability has been actively exploited in the wild and was added to CISA's Known Exploited Vulnerabilities catalog on December 17, 2025.

This Nuclei template uses a strictly conservative detection approach that only flags explicitly verified vulnerable versions with complete build numbers. The template employs two active DSL matchers: contains(version, "12.4.3-") && compare_versions(version, "<= 12.4.3-03093") identifies SMA appliances running 12.4.3 platform-hotfix builds numbered 03093 or lower, while contains(version, "12.5.0-") && compare_versions(version, "<= 12.5.0-02002") targets 12.5.0 builds numbered 02002 or lower. Version information is extracted from the HTTP Server header (e.g., Server: SMA/12.4.3-03093), and detection requires both successful version matching AND body content verification confirming "Appliance Management Console" or "SonicWall" presence.

Notably, the template includes commented-out matchers for ambiguous versions (version == "12.4.3" and version == "12.5" || version == "12.5.0") that lack build numbers—these are intentionally disabled to prevent false positives, as versions without build numbers cannot definitively determine vulnerability status (e.g., SMA/12.5.0 could be either vulnerable build 02002 or patched build 02283). This design ensures zero false positives by only flagging systems where the complete version string (including build number) can be verified against the official advisory's vulnerable ranges, making the template suitable for high-confidence vulnerability scanning where accuracy is prioritized over broad coverage.

1. Download and install Nuclei.
2. Clone this repostory to your local system.
3. Run the following command:

nuclei -u <ip|fqdn> -t template.yaml

Or if you would like to scan a list of hosts, execute:

nuclei -l <list.txt> -t template.yaml

• https://nvd.nist.gov/vuln/detail/CVE-2025-40602
• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0019
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• https://thehackernews.com/2025/12/sonicwall-fixes-actively-exploited-cve.html
• https://www.tenable.com/blog/cve-2025-40602-sonicwall-secure-mobile-access-sma-1000-zero-day-exploited
• https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-new-sma1000-zero-day-exploited-in-attacks/

Use at your own risk, I will not be responsible for illegal activities you conduct on infrastructure you do not own or have permission to scan.

This project is licensed under the MIT License.

If you have any questions about this vulnerability detection script please reach out to me via Signal.

If you would like to connect, I am mostly active on Twitter/X and LinkedIn.