Zero-day vulnerability in SonicWall SMA series under attack

A critical SonicWall vulnerability in the administrative tools for the vendor's Secure Mobile Access product series is under attack.

In a security advisory published Wednesday, SonicWall disclosed a critical pre-authentication remote code execution vulnerability, tracked as CVE-2025-23006, in the Appliance Management Console (AMC) and Central Management Console (CMC) administrative tools in the vendor's SMA 1000 series. The zero-day vulnerability affects version 12.4.3-02804 and earlier versions, and could allow a remote unauthenticated attacker to execute arbitrary OS commands. SonicWall credited Microsoft in the advisory.

SonicWall applied a hotfix for 12.4.3-02854 and higher versions, and provided a workaround that recommended users restrict access to trusted sources for AMC and CMC. The security advisory noted that SonicWall firewall devices, which have previously been a popular target for attackers, are not affected.

The cybersecurity company urged users to address CVE-2025-23006 amid reports of exploitation activity.

"IMPORTANT: SonicWall PSIRT [Product Security Incident Response Team] has been notified of possible active exploitation of the referenced vulnerability by threat actors. We strongly advise users of the SMA1000 product to upgrade to the hotfix release version to address the vulnerability," SonicWall wrote in the security advisory.

Organizations use SonicWall's AMC to remotely manage security policies, network and certificate configuration, monitoring, troubleshooting and to set up admin accounts. CMC also contains sensitive data including appliance reports, updates and alerts.

SonicWall sent the following statement to Informa TechTarget:

"Our partners and customers have not reported any direct exploitation to date. However, Microsoft Threat Intelligence Center (MSTIC), discovered evidence of exploitation, prompting a comprehensive code and vulnerability review that led to the discovery of CVE-2025-23006. Immediately afterwards, MSTIC informed SonicWall of this discovery. MSTIC and SonicWall PSIRT are working closely together to identify and mitigate the vulnerability discussed in this CVE."

While information is currently limited, Scott Caveza, staff research engineer at Tenable, told Informa TechTarget that SonicWall's security advisory implies that the vulnerability was potentially exploited in the wild. Tenable cannot confirm the activity, but it is monitoring the situation for further developments, he added.

"Microsoft's Threat Intelligence Center reported the issue to SonicWall, which suggests there have been observations of exploitation," Caveza said in an email. "Despite the uncertainty around exploitation, threat actors have targeted SonicWall devices in the past and several SonicWall vulnerabilities have been featured on the Known Exploited Vulnerabilities (KEV) catalog from the U.S. Cybersecurity & Infrastructure Security Agency (CISA). Patching of impacted SonicWall devices should take priority to ensure this threat is mitigated as soon as possible."

Cailtin Condon, director of vulnerability intelligence at Rapid7, warned users of the risks such vulnerabilities can pose for organizations. Condon told Informa TechTarget that like edge devices, SMA appliances are high value targets for attackers looking to gain access to corporate networks and sensitive data.

"Ransomware groups in particular have historically been fans of SonicWall appliances and firewall vulnerabilities; if previous ransomware campaigns targeting SMA100 series devices are any indication, SMA1000 (note the extra 0) devices will likely also see exploit attempts," Condon said in an email. "Deserialization vulnerabilities also tend to make for stable, reliable attacks and are frequently targeted in the wild, which drives home the importance of remediating this issue quickly."

Arielle Waldman is a news writer for Informa TechTarget covering enterprise security.