Full Report
SonicWall is alerting customers of a critical security flaw impacting its Secure Mobile Access (SMA) 1000 Series appliances that it said has been likely exploited in the wild as a zero-day. The vulnerability, tracked as CVE-2025-23006, is rated 9.8 out of a maximum of 10.0 on the CVSS scoring system. "Pre-authentication deserialization of untrusted data vulnerability has been identified in the
Analysis Summary
# Vulnerability: SonicWall SMA 1000 Series Pre-Authentication Deserialization Leading to RCE
## CVE Details
- CVE ID: CVE-2025-23006
- CVSS Score: 9.8 (Critical)
- CWE: Not explicitly stated, but described as "pre-authentication deserialization of untrusted data" (likely related to CWE-502: Deserialization of Untrusted Data).
## Affected Systems
- Products: SonicWall Secure Mobile Access (SMA) 1000 Series Appliances (specifically the Appliance Management Console - AMC and Central Management Console - CMC).
- Versions: All versions prior to the fixed version (not explicitly listed, but implied by the patch).
- Configurations: The vulnerability exists in the AMC and CMC interfaces under specific conditions.
## Vulnerability Description
The flaw is a pre-authentication deserialization of untrusted data vulnerability existing within the Appliance Management Console (AMC) and Central Management Console (CMC) of the SonicWall SMA 1000 Series appliances. Successful exploitation could allow a remote, unauthenticated attacker to execute arbitrary Operating System (OS) commands.
*Note: This vulnerability does **not** affect SonicWall Firewall or SMA 100 series products.*
## Exploitation
- Status: Likely exploited in the wild (Reported as likely exploited as a zero-day).
- Complexity: Implied to be low, as it is a pre-authentication flaw allowing arbitrary command execution.
- Attack Vector: Network (Remote, unauthenticated).
## Impact
- Confidentiality: High (Implied, due to arbitrary command execution).
- Integrity: High (Implied, due to arbitrary command execution).
- Availability: High (Implied, due to arbitrary command execution).
## Remediation
### Patches
- Patched version: 12.4.3-02854 (platform-hotfix).
### Workarounds
- Restrict access to the Appliance Management Console (AMC) and Central Management Console (CMC) to only trusted sources/IP addresses.
## Detection
- Detection methods are not detailed in the summary, but monitoring for unusual activity or command execution attempts directed at the AMC/CMC management interfaces should be prioritized.
## References
- Vendor Advisory: psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0002 (Defanged: psirt[.]global[.]sonicwall[.]com/vuln-detail/SNWLID-2025-0002)
- Discovery Credit: Microsoft Threat Intelligence Center (MSTIC).