CVE-2025-40604
CRITICALDescription
Download of Code Without Integrity Check Vulnerability in the SonicWall Email Security appliance loads root filesystem images without verifying signatures, allowing attackers with VMDK or datastore access to modify system files and gain persistent arbitrary code execution.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| sonicwall | email_security_appliance_5000_firmware |
| sonicwall | email_security_appliance_5000 |
| sonicwall | email_security_appliance_5050_firmware |
| sonicwall | email_security_appliance_5050 |
| sonicwall | email_security_appliance_7000_firmware |
| sonicwall | email_security_appliance_7000 |
| sonicwall | email_security_appliance_7050_firmware |
| sonicwall | email_security_appliance_7050 |
| sonicwall | email_security_appliance_9000_firmware |
| sonicwall | email_security_appliance_9000 |
References
Advisories & Patches
Frequently Asked Questions
What is CVE-2025-40604? +
How severe is CVE-2025-40604? +
What products are affected by CVE-2025-40604? +
How do I check if I'm vulnerable to CVE-2025-40604? +
Related Vulnerabilities
Ollama for Windows contains a Remote Code Execution vulnerability in its update mechanism due to improper handling of attacker‑controlled HTTP …
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In 3.8.8 and earlier, there is persistent local-pty code execution via imported bookmarks or …
Ollama for Windows does not perform integrity or authenticity verification of downloaded update executables. Unlike other platforms, the Windows implementation …
A firmware update mechanism in the affected charging controller fails to validate the authenticity of firmware packages delivered through the …
This vulnerability exists in the TP-Link Archer C50 due to improper signature verification mechanism in the firmware upgrade process at …
Vulnerability in PointCloudLibrary PCL (surface/src/3rdparty/opennurbs modules). This vulnerability is associated with program files crc32.C. This vulnerability is only relevant if …