SonicWall SMA appliances exploited in zero-day attacks (CVE-2025-23006)
A critical zero-day vulnerability (CVE-2025-23006) affecting SonicWall Secure Mobile Access (SMA) 1000 Series appliances is being exploited by attackers.
“We strongly advises users of the SMA1000 product to upgrade to the hotfix release version to address the vulnerability,” the company said on Wednesday.
About CVE-2025-23006
SonicWall Secure Mobile Access (SMA) is a unified secure access gateway used by organizations to provide employees access to applications from anywhere. The SMA 1000 series of appliances is aimed at large distributed enterprises of up to thousands of employees.
CVE-2025-23006 is a deserialization of untrusted data vulnerability in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), and can be exploited by remote, unauthenticated attackers to execute arbitrary OS commands, if specific (currently unspecified) conditions are present.
Microsoft Threat Intelligence Center (MSTIC) has been credited with reporting the flaw and notifying the SonicWall Product Security Incident Response Team (PSIRT) “of possible active exploitation”, but additional details about the vulnerabilities and the attacks have yet to be shared.
CVE-2025-23006 affects version 12.4.3-02804 (platform-hotfix) and earlier versions of SMA 1000 appliances, and has been fixed in version 12.4.3-02854 (platform-hotfix) and higher versions.
“To minimize the potential impact of the vulnerability, please ensure that you restrict access to trusted sources for the Appliance Management Console (AMC) and Central Management Console (CMC),” the company advised, and confirmed that SonicWall Firewall and SMA 100 series products are not affected by this vulnerability.
UPDATE (January 27, 2025, 04:40 a.m. ET):
“This vulnerability has been confirmed as being actively exploited in the wild, thus this information should be treated with the utmost severity,” SonicWall confirmed in a related notice.
“Appliances on vulnerable firmware versions, with administrative access exposed to the public internet, are especially at risk of exploitation. Administrative access refers to the ability to access the web-based Appliance Management and Central Management consoles (AMC & CMC) on the configured port (default 8443).”
The list of impacted SMA1000 models includes: SMA6200, SMA6210, SMA7200, SMA7210, SMA8200v (ESX, KVM, Hyper-V, AWS, Azure), EX6000, EX7000, and EX9000.
“SonicWall is preparing additional information for customers to verify the integrity of their appliances,” the company announced.
UPDATE (January 29, 2025, 08:20 a.m. ET):
Censys detects around 90 vulnerable SonicWall SMA 1000-series appliances with publicly accessible / exposed management interfaces, predominantly located in North America and Europe.