Key Takeaways
- Critical vulnerability discovered in SonicWall’s SMA 1000 series appliances, tracked as CVE-2025-23006.
- Impacted products include Appliance Management Console (AMC) and Central Management Console (CMC) products, versions 12.4.3-02804 and earlier.
- This vulnerability could allow a remote, unauthenticated attacker to execute arbitrary commands.
- We recommend upgrading to version 12.4.3-02854 (platform-hotfix) or later immediately.
Background
A critical vulnerability, tracked as CVE-2025-23006, has been discovered in SonicWall’s Secure Mobile Access (SMA) 1000 series appliances. This vulnerability has a CVSS score of 9.8 and has been reported as being actively exploited in the wild as a zero-day vulnerability. It impacts Appliance Management Console (AMC) and Central Management Console (CMC) products, specifically versions 12.4.3-02804 and earlier. If exploited, this vulnerability could allow a remote, unauthenticated attacker to execute arbitrary commands on affected appliances.
This type of SSL VPN appliance that has been impacted is traditionally internet-facing, making it easily accessible and a highly sought after target for threat actors as an intrusion vector. If a threat actor exploits this vulnerability and gains access to the VPN, it could potentially lead to network intrusions, which could later result in data exfiltration, extortion and/or encryption events.
Breaking Down the Advisory
In their advisory, SonicWall states "Pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), which in specific conditions could potentially enable a remote unauthenticated attacker to execute arbitrary OS commands."
What does this actually mean?
This vulnerability allows threat actors to skip all security checks and gain access by sending a specially crafted "package" that the system mistakenly trusts and runs.
- "Pre-authentication": the attacker doesn’t need to log in or prove their identity first (authentication); they can attack the system before their credentials are checked.
- "Deserialization of untrusted data": Like someone walking through an airport checkpoint with a package that hasn’t been scanned by TSA; instead of inspecting it carefully, the system opens the package, trusts what’s inside, and acts on it, which gives the threat actor their control.
Recommendations
Below are some key recommendations from the Cybereason DFIR team:
- SonicWall has released a security update to address this vulnerability. Users are strongly advised to upgrade to version 12.4.3-02854 (platform-hotfix) or later.
- Access to the AMC and CMC interfaces should be limited to authorized/trusted sources only.
- Impacted organizations that have SonicWall Secure Mobile Access (SMA) 1000 series and suffer a network intrusion should ensure that logs are preserved, and patch level and date of patching are both noted.
- SonicWall provides 8 critical steps (beginning on page 653) to secure these appliances. These include:
- Network Configuration
- Appliance Configuration
- Appliance Sessions
- Administrator Accounts
- Access Policy
- Set Up Zones of Trust
- Setting security level
- Client Access
