CVE-2025-23006: Actively Exploited Vulnerability in SonicWall SMA1000 Appliances

On 22 January 2025, SonicWall published a security advisory detailing an actively exploited remote command execution vulnerability in SMA1000 appliances. The critical-severity vulnerability, CVE-2025-23006, is a pre-authentication deserialisation of untrusted data vulnerability that has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC). If exploited, it could allow unauthenticated remote threat actors to execute arbitrary OS commands. Arctic Wolf has not observed any publicly available proof of concept (PoC) exploits for this vulnerability. 

Recommendation 

Upgrade to Latest Fixed Version

Arctic Wolf strongly recommends that customers upgrade to the latest fixed version. 

Note: SonicWall Firewall and SMA 100 (SMA200, 210, 400, 410, and 500v) products are not affected by this vulnerability. 

Please follow your organisation’s patching and testing guidelines to minimise potential operational impact. 

Workaround 

• Restrict access to trusted sources for the Appliance Management Console (AMC) and Central Management Console (CMC). 

• Dual-homed appliances: Limit access to administrative consoles (default TCP port 8443) to trusted internal networks accessible via an internal interface only (will not impact user VPN traffic).  

• Single-homed appliances: Use a firewall to limit access to administrative consoles (default TCP port 8443) to trusted internal networks (will not impact user VPN traffic).  

• For additional information, refer to the SMA1000 Administration Guide, section – Best Practices for Securing the Appliance. 

References 

• Security Advisory
• Product Notice

Stay up to date with the latest security incidents and trends from Arctic Wolf Labs. 

Explore the latest global threats with the 2024 Arctic Wolf Labs Threats Report.