Sunday, April 6, 2025
HomeCVE/vulnerabilitySonicWall Arbitrary OS Commands Execution Vulnerability Exploited in Attacks

SonicWall Arbitrary OS Commands Execution Vulnerability Exploited in Attacks

Published on

SIEM as a Service

Follow Us on Google News

 A critical vulnerability in SonicWall’s SMA1000 series tracked as CVE-2025-23006, has come under active exploitation by threat actors.

SonicWall’s PSIRT (Product Security Incident Response Team) has issued an urgent advisory urging users to update their systems immediately to mitigate risks.

Details of CVE-2025-23006

The vulnerability, which scores an alarming 9.8/10 on the CVSS v3 severity scale, stems from pre-authentication deserialization of untrusted data flaws.

- Advertisement - Google News

This flaw resides in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC).

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

In specific conditions, it can allow remote, unauthenticated attackers to execute arbitrary operating system commands.

Attackers exploiting this vulnerability could gain complete control over affected systems, leading to a potentially catastrophic compromise of confidentiality, integrity, and availability.

Affected Products

The vulnerability impacts SMA1000 series appliances running version 12.4.3-02804 or earlier. Notably, the SonicWall Firewall and the SMA 100 series are not affected by this issue.

The vulnerability has attracted attention due to its active exploitation by malicious actors in the wild. Microsoft Threat Intelligence Center (MSTIC) is credited for identifying this exploitation activity.

SonicWall strongly recommends that users upgrade to the fixed version of the SMA1000 platform, 12.4.3-02854 or higher, to eliminate the risk.

While patching remains the recommended mitigation, SonicWall has advised the following workarounds to minimize exposure:

  1. Restrict access to the Appliance Management Console (AMC) and Central Management Console (CMC) to only trusted sources.
  2. Follow best practices for securing the SMA1000 appliance as outlined in the SMA1000 Administration Guide.

Users are urged to download and apply the relevant hotfix as soon as possible. The fixed software version is available from SonicWall’s official support page.

Additionally, organizations should monitor for unusual activity on their networks, as the vulnerability has been actively exploited.

SonicWall’s complete advisory on this issue, including detailed mitigation steps, can be found on their website under the advisory ID SNWLID-2025-0002.

As cyberattacks exploiting this type of vulnerability can escalate quickly, immediate action is critical to safeguarding systems and sensitive data.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Hack The box “Ghost” Challenge Cracked – A Detailed Technical Exploit

Cybersecurity researcher "0xdf" has cracked the "Ghost" challenge on Hack The Box (HTB), a...

Sec-Gemini v1 – Google’s New AI Model for Cybersecurity Threat Intelligence

Google has unveiled Sec-Gemini v1, an AI model designed to redefine cybersecurity operations by...

U.S. Secures Extradition of Rydox Cybercrime Marketplace Admins from Kosovo in Major International Operation

The United States has successfully extradited two Kosovo nationals, Ardit Kutleshi, 26, and Jetmir...

Ivanti Fully Patched Connect Secure RCE Vulnerability That Actively Exploited in the Wild

Ivanti has issued an urgent security advisory for CVE-2025-22457, a critical vulnerability impacting Ivanti...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Hack The box “Ghost” Challenge Cracked – A Detailed Technical Exploit

Cybersecurity researcher "0xdf" has cracked the "Ghost" challenge on Hack The Box (HTB), a...

Sec-Gemini v1 – Google’s New AI Model for Cybersecurity Threat Intelligence

Google has unveiled Sec-Gemini v1, an AI model designed to redefine cybersecurity operations by...

U.S. Secures Extradition of Rydox Cybercrime Marketplace Admins from Kosovo in Major International Operation

The United States has successfully extradited two Kosovo nationals, Ardit Kutleshi, 26, and Jetmir...