Critical Vulnerability Discovered in SonicWall SMA 1000 Series

Critical Vulnerability Discovered in SonicWall SMA 1000 Series​

Critical Vulnerability Discovered in SonicWall SMA 1000 Series

Summary

SonicWall has issued a critical security advisory for its SMA1000 appliances, revealing a high-severity pre-authentication remote command execution vulnerability (CVE-2025-23006) with a CVSS score of 9.8. This flaw, caused by the deserialization of untrusted data, affects Appliance Management Console (AMC) and Central Management Console (CMC) products running versions 12.4.3-02804 and earlier, allowing unauthenticated attackers to execute arbitrary OS commands remotely. SonicWall warns of potential active exploitation and strongly recommends upgrading to version 12.4.3-02854 (platform-hotfix) or later. As a precaution, restricting access to management consoles from trusted sources is advised until the upgrade is applied.

Technical Description

A critical zero-day vulnerability, identified as CVE-2025-23006, has been discovered in SonicWall’s Secure Mobile Access (SMA) 1000 series appliances, with a CVSS score of 9.8. Actively exploited in the wild, this flaw affects Appliance Management Console (AMC) and Central Management Console (CMC) products running versions 12.4.3-02804 and earlier. If leveraged, it allows remote, unauthenticated attackers to execute arbitrary commands on vulnerable systems.
The affected type of SSL VPN appliance is typically internet-facing, rendering it easily accessible and a highly attractive target for threat actors seeking an intrusion vector. If a threat actor exploits this vulnerability and gains access to the VPN, it could potentially lead to network intrusions, which could later result in data exfiltration, extortion, and/or encryption events.

Deserialization Vulnerability

Deserialization vulnerabilities arise when a system processes untrusted or malicious data during deserialization, potentially resulting in arbitrary code execution. In the case of SMA1000 appliances, the flaw lies in how incoming data is managed during the deserialization process prior to authentication. This vulnerability allows attackers to send specially crafted payloads to the device, enabling command execution without requiring authentication.

Exploitation Mechanism:

Exploitation of this vulnerability allows attackers to inject commands that execute with system-level privileges. Since the flaw exists pre-authentication, attackers do not need to authenticate or have prior access to the network to exploit it. This makes vulnerability particularly dangerous, as it can be triggered remotely without any special permission, enabling attackers to gain full control of the device.

Affected Products

SonicWall SMA 1000 Series appliances running version 12.4.3-02804 (platform-hotfix) and earlier.

  • Appliance Management Console (AMC)
  • Central Management Console (CMC)

SonicWall Firewall and SMA 100 series products are not impacted.

Impact on Affected Devices
  • Remote Code Execution (RCE): Successful exploitation enables attackers to gain complete control over the targeted SMA 1000 appliance.
  • Threat Landscape: Evidence suggests the vulnerability is being actively exploited as a zero-day in real-world attacks. Advanced Persistent Threat (APT) groups could leverage this flaw for data exfiltration, lateral movement within networks, and potentially as a launch point for broader attacks.
  • Operational Downtime: Organizations relying on SMA 1000 appliances may face disruptions in secure remote access functionality if systems are compromised.
Active Exploitation

SonicWall has been informed of possible exploitation in the wild, although specific details of the threat actors or attacks remain undisclosed. The discovery and reporting of this vulnerability have been credited to the Microsoft Threat Intelligence Center (MSTIC).

Mitigation

SonicWall has released a fix for the flaw in SMA 1000 Series firmware version 12.4.3-02854 (platform-hotfix). It is essential to apply this patch immediately to secure your system from potential exploitation.

To minimize the potential impact of vulnerability, please ensure that you restrict access to trusted sources for the Appliance Management Console (AMC) and Central Management Console (CMC), the company advised and confirmed that SonicWall Firewall and SMA 100 series products are not affected by this vulnerability.

Conclusion

CVE-2025-23006 is a severe vulnerability in the SMA1000 series appliances, enabling unauthenticated attackers to execute remote code on affected devices. This flaw is especially concerning due to its ease of exploitation, requiring no prior authentication. Organizations using vulnerable versions of SMA1000 appliances should urgently upgrade to the latest patched version or apply the recommended workaround to safeguard their systems against ongoing exploitation attempts.

Impact

This security flaw impacts SMA1000 appliances operating on versions 12.4.3-02804 (platform-hotfix) or older. Exploitation of the vulnerability allows attackers to take full control of the device, potentially leading to unauthorized exposure of confidential information, alteration of device settings, or total disruption of the appliance’s operations.

IOC and Context Details
 
Topics
Details
  • Tactic Name
  • Technique Name
  • Sub Technique Name
  • Attack Type
  • Targeted Applications
  • Region Impacted
  • Industry Impacted
  • IOC’s
  • CVE
  • NA
  • NA
  • NA
  • Vulnerability
  • SonicWall SMA
  • Global
  • All
  • NA
  • CVE-2025-23006
Recommended Actions
  1. Users are strongly advised to upgrade to version 12.4.3-02854 (platform-hotfix) or later.
  2. Access to the AMC and CMC interfaces should be limited to authorized/trusted sources only.
  3. Impacted organizations that have SonicWall Secure Mobile Access (SMA) 1000 series and suffer a network intrusion should ensure that logs are preserved, and patch level and date of patching are both noted.
  4. Use intrusion detection systems (IDS) to identify suspicious activity.
References

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0002

https://www.tenable.com/blog/cve-2025-23006-sonicwall-secure-mobile-access-sma-1000-zero-day-reportedly-exploited

View all Advisories
Post Views: 5