SonicWall’s SMA100 series SSL-VPN appliances have serious security vulnerabilities, revealing ongoing issues in network infrastructure. The identified vulnerabilities show fundamental programming errors that allow pre-authentication attacks against firmware version 10.2.1.1.5.
CVE-2025-40596: Pre-Authentication Stack Buffer Overflow
WatchTower Labs found a classic stack-based buffer overflow vulnerability caused by malformed HTTP requests to the /api/ endpoint. The flaw within the /usr/src/EasyAccess/bin/httpd binary is responsible for processing incoming SSL-VPN connections.
The code uses an unsafe sscanf function that reads user-controlled URI data without checking limits. When the system encounters requests beginning with /api/, it copies user input into a 0x800-byte stack buffer located at [rsp+898h+var_878] without validating input length.
Exploitation requires minimal effort, achievable through a simple Python one-liner: import requests; requests.get(“https://x.x.x.x/api/v1/”+’A’*3000,verify=False).
Stack protection mechanisms reduce immediate exploitation risk, but the vulnerability’s pre-authentication aspect in SSL-VPNs poses serious security issues.
CVE-2025-40597: Heap Overflow:
The second vulnerability affects the mod_httprp.so module, likely standing for “HTTP Reverse Proxy,” which handles various SonicWall-specific HTTP parsing functions. A heap-based buffer overflow happens during Host header processing, showing that even “secure” coding can fail if done improperly.
The vulnerable code allocates a 128-byte heap chunk via calloc(0x80, 1) before passing it to __sprintf_chk. Despite using the supposedly safer sprintf variant, developers passed -1 (0xFFFFFFFFFFFFFFFF) as the size parameter, effectively disabling bounds checking entirely.
This configuration allows attackers to overflow the allocated heap chunk by sending oversized Host headers: import requests; requests.get(“https://x.x.x.x/api/”, headers={‘Host’:’A’*750}, verify=False).
The overflow corrupts adjacent heap metadata, potentially enabling more sophisticated exploitation techniques.
CVE-2025-40598: Cross-site Scripting Flaw:
The third vulnerability represents a straightforward reflected cross-site scripting flaw in the radiusChallengeLogin CGI endpoint. The state parameter reflects user input directly into HTTP responses without sanitization or encoding.
Exploitation requires minimal sophistication: https://x.x.x.x/cgi-bin/radiusChallengeLogin portalName=portal1&status=needchallenge&state=”><img/src=x+onerror=alert1>. Full report here.
InfoSecBulletin Cybersecurity for mankind
