SonicWall is alerting customers of a critical security flaw impacting its Secure Mobile Access (SMA) 1000 Series appliances that it said has been likely exploited in the wild as a zero-day.
The vulnerability, tracked as CVE-2025-23006, is rated 9.8 out of a maximum of 10.0 on the CVSS scoring system.
"Pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), which in specific conditions could potentially enable a remote unauthenticated attacker to execute arbitrary OS commands," the company said in an advisory.
It's worth noting that CVE-2025-23006 does not affect its Firewall and SMA 100 series products. The flaw has been addressed in version 12.4.3-02854 (platform-hotfix).
SonicWall also said that it has been notified of "possible active exploitation" by unspecified threat actors, necessitating that customers apply the fixes as soon as possible to prevent potential attack attempts.
The company credited the Microsoft Threat Intelligence Center (MSTIC) with discovering and reporting the security shortcoming. When reached for comment, Microsoft told the Hacker News it had nothing to share at this stage.
"To minimize the potential impact of the vulnerability, please ensure that you restrict access to trusted sources for the Appliance Management Console (AMC) and Central Management Console (CMC)," the company recommended.
Update
The U.S. Cybersecurity and Infrastructure Security Agency on Friday confirmed exploitation of CVE-2025-23006, giving federal agencies until February 14, 2025, to patch it.
In a separate security notification, SonicWall said the "vulnerability has been confirmed as being actively exploited in the wild," urging customers to take action immediately. It also said it's in the process of readying information that can be used to verify the integrity of appliances.
The vulnerability has been found to impact the following models: SMA6200, SMA6210, SMA7200, SMA7210, SMA8200v (ESX, KVM, Hyper-V, AWS, Azure), EX6000, EX7000, and EX9000. Besides applying the patch, users are advised to limit access to administrative consoles to trusted internal networks and use a firewall to restrict access to administrative consoles.
