A zero-day vulnerability (CVE-2025-23006) affecting SonicWall’s Secure Mobile Access (SMA) 1000 has been actively exploited, potentially allowing unauthorized remote command execution. Although SonicWall provided a fix, the advisory warns of ongoing threats from malicious actors targeting this security flaw. Affected: SonicWall SMA 1000, SonicWall Firewall devices
Keypoints :
- A zero-day vulnerability identified as CVE-2025-23006 was disclosed by SonicWall.
- The vulnerability is related to deserialization of untrusted data in the appliance management console (AMC) and central management console (CMC).
- It has a critical CVSSv3 score of 9.8, indicating severe risk.
- Unauthenticated remote attackers can exploit this vulnerability through specially crafted requests.
- The SonicWall Product Security Incident Response Team (PSIRT) reported possible active exploitation of this vulnerability in the wild.
- Historical data indicates that SonicWall SMA products have faced numerous targeted attacks in the past.
- No proof-of-concept (PoC) code is currently available for CVE-2025-23006.
- SonicWall has released version 12.4.3-02854 to patch the issue and suggests restricting AMC and CMC access to trusted sources as a workaround.
- Tenable provides a list of plugins related to CVE-2025-23006, which updates as new information becomes available.
MITRE Techniques :
- TA0040: Ingress Tool Transfer – Attackers could potentially leverage file transfer exploits via remote access tools.
- TA0011: Command and Control – Exploit could enable attackers to execute commands on the vulnerable device.