SonicWall Email Security Code Execution and Path Traversal Vulnerabilities

EXECUTIVE SUMMARY:

A serious security vulnerability has been identified in SonicWall Email Security (ES) appliances, tracked as CVE-2025-40604 and CVE-2025-40605. These flaws allow attackers with underlying storage or virtualization access to either inject persistent malicious code or access restricted system files, posing significant risk to both physical and virtual deployments, including VMware and Hyper-V environments.[emaillocker id="1283"]

• CVE-2025-40604: A medium-severity flaw where the appliance loads root filesystem images without verifying their integrity. An attacker with access to the VMDK or datastore can modify core system files, enabling persistent arbitrary code execution within the appliance. This could allow full compromise of email processing, traffic inspection, and security functions. CVSS v3.1 score is 6.5 (Medium).
• CVE-2025-40605: A directory-traversal vulnerability that allows attackers to manipulate file paths using crafted traversal sequences (such as ../) to access files and directories outside intended restrictions. This could expose sensitive configuration data and assist in further exploitation. CVSS v3.1 score is 5.3 (Medium).

Exploitation of these vulnerabilities could allow attackers to gain long-term control of the email security appliance, deploy malicious components, access confidential information, or escalate their presence within targeted environments.

RECOMMENDATION:

• We strongly recommend you update SonicWall Email Security appliances to versions 10.0.34.8215, 10.0.34.8223 or later.

REFERENCES:

The following reports contain further technical details:

https://securityonline.info/sonicwall-patches-two-vulnerabilities-in-email-security-appliances-including-code-execution-flaw-cve-2025-40604/