SonicWall Arbitrary OS Commands Execution Vulnerability Exploited in Attacks

 A critical vulnerability in SonicWall’s SMA1000 series tracked as CVE-2025-23006, has come under active exploitation by threat actors.

SonicWall’s PSIRT (Product Security Incident Response Team) has issued an urgent advisory urging users to update their systems immediately to mitigate risks.

Details of CVE-2025-23006

The vulnerability, which scores an alarming 9.8/10 on the CVSS v3 severity scale, stems from pre-authentication deserialization of untrusted data flaws.

This flaw resides in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC).

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

In specific conditions, it can allow remote, unauthenticated attackers to execute arbitrary operating system commands.

Attackers exploiting this vulnerability could gain complete control over affected systems, leading to a potentially catastrophic compromise of confidentiality, integrity, and availability.

Affected Products

The vulnerability impacts SMA1000 series appliances running version 12.4.3-02804 or earlier. Notably, the SonicWall Firewall and the SMA 100 series are not affected by this issue.

The vulnerability has attracted attention due to its active exploitation by malicious actors in the wild. Microsoft Threat Intelligence Center (MSTIC) is credited for identifying this exploitation activity.

SonicWall strongly recommends that users upgrade to the fixed version of the SMA1000 platform, 12.4.3-02854 or higher, to eliminate the risk.

While patching remains the recommended mitigation, SonicWall has advised the following workarounds to minimize exposure:

1. Restrict access to the Appliance Management Console (AMC) and Central Management Console (CMC) to only trusted sources.
2. Follow best practices for securing the SMA1000 appliance as outlined in the SMA1000 Administration Guide.

Users are urged to download and apply the relevant hotfix as soon as possible. The fixed software version is available from SonicWall’s official support page.

Additionally, organizations should monitor for unusual activity on their networks, as the vulnerability has been actively exploited.

SonicWall’s complete advisory on this issue, including detailed mitigation steps, can be found on their website under the advisory ID SNWLID-2025-0002.

As cyberattacks exploiting this type of vulnerability can escalate quickly, immediate action is critical to safeguarding systems and sensitive data.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar