CVE-2025-40597

It’s 2025, and at this point we’re convinced there’s a secret industry-wide pledge: every network appliance must include at least one trivially avoidable HTTP header parsing bug - preferably pre-auth. Bonus points if it involves sscanf and engineers who try to do the right

1) CVE-2025-40596 - Pre-Authentication Stack-Based Buffer Overflow VulnerabilityA Stack-based buffer overflow vulnerability in the SMA100 series web interface allows remote, unauthenticated attacker to cause Denial of Service (DoS) or potentially results in code execution. CVSS Score: 7.3 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CWE-121: Stack-based Buffer Overflow 2) CVE-2025-40597 - Pre-Authentication Heap-Based Buffer Overflow VulnerabilityA Heap-based buffer overflow vulnerability in the SMA100 series web interface allows remote, unauthenticated attacker to cause Denial of Service (DoS) or potentially results in code execution. CVSS Score: 7.3 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CWE-122: Heap-based Buffer Overflow 3) CVE-2025-40598 - Reflected Cross-Site Scripting (XSS) VulnerabilityA Reflected cross-site scripting (XSS) vulnerability exists in the SMA100 series web interface, allowing a remote unauthenticated attacker to potentially execute arbitrary JavaScript code. CVSS Score: 6.3 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') SonicWall strongly advises users of the SMA100 series products (SMA 210, 410, and 500v) to upgrade to the mentioned fixed release version to address these vulnerabilities. There is currently no evidence any of the vulnerabilities addressed in this release are being exploited in the wild. CVE: CVE-2025-40596, CVE-2025-40597, CVE-2025-40598 Last updated: July 23, 2025, 3:46 p.m.