SonicWall 0-day Vulnerability Exploited In Attacks Execute Arbitrary OS Commands

A critical security vulnerability, tracked as CVE-2025-23006, has been identified in SonicWall’s SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC). 

This flaw, classified under CWE-502 (Deserialization of Untrusted Data), carries a severity score of 9.8 (Critical), indicating its potential for a devastating impact. 

SonicWall has confirmed active exploitation of this vulnerability by malicious actors and urges immediate action to mitigate risks.

SonicWall Vulnerability – CVE-2025-23006

The vulnerability arises from improper handling of untrusted data during deserialization in the AMC and CMC components. Under specific conditions, this flaw enables remote, unauthenticated attackers to execute arbitrary operating system commands on affected devices.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

This could result in full system compromise, impacting confidentiality, integrity, and availability.

“Pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), which in specific conditions could potentially enable a remote unauthenticated attacker to execute arbitrary OS commands”, reads the advisory.

Notably, this vulnerability does not affect SonicWall Firewall or SMA 100 series products. SonicWall’s Product Security Incident Response Team (PSIRT) has verified reports of active exploitation in the wild. 

Threat actors are leveraging this zero-day vulnerability to target unpatched systems, making it critical for affected organizations to act swiftly.

The vulnerability was discovered by the Microsoft Threat Intelligence Center (MSTIC), which promptly reported it to SonicWall.

SMA1000 Series running version 12.4.3-02804 or earlier. SonicWall has released a patched version (12.4.3-02854) to address the issue. Users are strongly advised to upgrade to this version or later immediately. 

As a temporary workaround, organizations should restrict access to the AMC and CMC interfaces to trusted sources only.

Recommendations

• Upgrade Software: Install version 12.4.3-02854 or higher without delay.
• Restrict Access: Limit AMC and CMC access to trusted IP addresses.
• Monitor Systems: Employ network monitoring tools to detect unusual activity.

Given the critical nature of CVE-2025-23006 and its active exploitation, organizations using vulnerable versions of the SMA1000 series must prioritize patching and implementing mitigations immediately.

Failure to address this issue could lead to severe security breaches with widespread consequences.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar