Cyber Security News

CISA Warns of SonicWall 0-day RCE Vulnerability Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding a critical vulnerability, CVE-2025-23006, affecting SonicWall’s Secure Mobile Access (SMA) 1000 series appliances.

This vulnerability, actively exploited in the wild, poses a severe risk to organizations relying on these devices for secure remote access.

CVE-2025-23006, classified under CWE-502 (Deserialization of Untrusted Data), is a pre-authentication vulnerability that allows remote, unauthenticated attackers to execute arbitrary operating system commands.

The flaw resides in the Appliance Management Console (AMC) and Central Management Console (CMC) of SonicWall SMA 1000 appliances. It has been assigned a CVSS v3 severity score of 9.8, indicating its critical nature.

The vulnerability affects versions 12.4.3-02804 and earlier but does not impact SonicWall Firewall or SMA 100 series products.

Vulnerability Exploitation

The Microsoft Threat Intelligence Center (MSTIC) discovered and reported this issue to SonicWall’s Product Security Incident Response Team (PSIRT).

Reports suggest that threat actors have already exploited this vulnerability in real-world attacks, prompting CISA to add it to its Known Exploited Vulnerabilities Catalog.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

The exploitation of CVE-2025-23006 could result in full system compromise, affecting the confidentiality, integrity, and availability of targeted systems.

The flaw’s low attack complexity and lack of required privileges make it especially dangerous for unpatched systems. Organizations using vulnerable versions are at risk of attackers gaining unauthorized access to sensitive data or deploying additional malicious payloads.

Mitigation Steps

To address the vulnerability, SonicWall has released a hotfix (version 12.4.3-02854 and higher). The company strongly advises all users of SMA 1000 appliances to upgrade immediately.

For organizations unable to apply the patch promptly, SonicWall recommends restricting access to AMC and CMC interfaces to trusted IP addresses as a temporary workaround.

Additionally, network administrators are urged to monitor for unusual activity and implement best practices for securing their systems. This includes limiting administrative access, applying strict network segmentation, and ensuring that all devices are up-to-date with security patches.

SonicWall products have historically been frequent targets for cyberattacks, with several vulnerabilities exploited by ransomware groups and other threat actors in recent years. This latest incident underscores the importance of proactive security measures in safeguarding critical infrastructure.

CISA’s inclusion of CVE-2025-23006 in its Known Exploited Vulnerabilities Catalog highlights the urgency for organizations to address this issue without delay.

Failure to mitigate this vulnerability could lead to severe consequences, including data breaches, operational disruptions, and financial losses.

As exploitation activity continues, organizations using SonicWall SMA 1000 appliances must act swiftly to protect their systems.

Applying the recommended hotfix and following SonicWall’s guidance on restricting access are essential steps in mitigating the risks posed by CVE-2025-23006.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

REF7707 Hackers Attacking Windows & Linux Machines Using FINALDRAFT Malware

A sophisticated hacking campaign has been unveiled recently by Elastic Security Labs, dubbed "REF7707," which…

12 minutes ago

New Device Code Phishing Attack Exploit Device Code Authentication To Capture Authentication Tokens

A sophisticated phishing campaign, identified by Microsoft Threat Intelligence, has been exploiting a technique known…

2 hours ago

RedMike Hackers Exploited 1000+ Cisco Devices to Gain Admin Access

Researchers observed a sophisticated cyber-espionage campaign led by the Chinese state-sponsored group known as "Salt…

3 hours ago

AMD Ryzen DLL Hijacking Vulnerability Let Attackers Execute Arbitrary Code

A high-severity security vulnerability, identified as CVE-2024-21966, has been discovered in the AMD Ryzen™ Master…

4 hours ago

PostgreSQL Terminal Tool Injection Vulnerability Allows Remote Code Execution

Researchers have uncovered a high-severity SQL injection vulnerability, CVE-2025-1094, affecting PostgreSQL’s interactive terminal tool, psql. …

4 hours ago

WinZip Vulnerability Let Remote Attackers Execute Arbitrary Code

A newly disclosed high-severity vulnerability in WinZip, tracked as CVE-2025-1240, enables remote attackers to execute…

8 hours ago