SonicWall is warning about a pre-authentication deserialization vulnerability in SonicWall SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), with reports that it has been exploited as a zero-day in attacks.
The flaw, tracked as CVE-2025-23006 and rated critical (CVSS v3 score: 9.8), could allow remote unauthenticated attackers to execute arbitrary OS commands under specific conditions.
The vulnerability affects all firmware versions of the SMA100 appliance up to 12.4.3-02804 (platform-hotfix).
SonicWall highlighted that it has received reports that the vulnerability was exploited as a zero-day in attacks.
“SonicWall PSIRT has been notified of possible active exploitation of the referenced vulnerability by threat actors,” warns the bulletin.
“We strongly advises users of the SMA1000 product to upgrade to the hotfix release version to address the vulnerability.”
Microsoft’s Threat Intelligence Center discovered the flaw, so more details about the exploitation activity and when it started might be shared by Microsoft at a later date.
System administrators are recommended to upgrade to version 12.4.3-02854 (platform-hotfix) and later to mitigate the risk.
SonicWall clarified that CVE-2025-23006 does not impact SMA 100 series products, so no action is required for them.
Germany’s Computer Emergency Response Team, CERT-Bund, also issued a warning on X urging admins to install the updates immediately.
Macnica researcher Yutaka Sejiyama told BleepingComputer that a Shodan search reports that 2,380 SMS1000 devices are currently exposed online.
SonicWall devices a common target
SMA1000 are secure remote access appliances commonly used by large organizations to provide VPN access to corporate networks.
Given their critical role in the enterprise, government agencies, and critical service providers, the risk of unpatched flaws in them is particularly high.
Earlier this month, SonicWall warned about a dangerous authentication bypass flaw impacting firewall appliances, tracked as CVE-2024-53704.
Yesterday, Bishop Fox researchers published a video showcasing their exploit of CVE-2024-53704, promising to disclose the complete details on February 10, 2025.
“Although significant reverse-engineering effort was required to find and exploit the vulnerability, the exploit itself is rather trivial,” reads the Bishop Fox post.
Meanwhile, as of yesterday, Bishop Fox reported that over five thousand SonicWall devices susceptible to CVE-2024-53704 are exposed on the internet.