Summary

A critical vulnerability (CVE-2025-23006) has been identified in SonicWall Secure Mobile Access (SMA) 1000 Series Appliances, potentially allowing for remote code execution (RCE). This vulnerability stems from a pre-authentication deserialization of untrusted data flaw in the Appliance Management Console (AMC) and Central Management Console

(CMC). Successful exploitation could enable an unauthenticated attacker to execute arbitrary OS commands, compromising system integrity.

SonicWall PSIRT has been notified of potential active exploitation of this vulnerability by threat actors. Organizations using affected SMA appliances should take immediate action to mitigate risks.

Affected Systems and/or Applications

SonicWall SMA 1000 Series Appliances running version 12.4.3-02804 (platform-hotfix) and earlier.

Impacted Models: SMA6200, SMA6210, SMA7200, SMA7210, SMA8200v (ESX, KVM, Hyper-V, AWS, Azure), EX6000, EX7000, EX9000

Note: SonicWall Firewall and SMA 100 (SMA200, 210, 400, 410, and 500v) products are not affected by this vulnerability.

Technical Details

Tactic: Initial Access (TA0001)

Technique: Exploit Public-Facing Application (T1190)

A pre-authentication deserialization vulnerability in SonicWall SMA 1000’s AMC and CMC can allow a remote attacker to execute arbitrary OS commands. This can lead to full system compromise, allowing attackers to:

• Install malicious software
• Exfiltrate, modify, or delete sensitive data
• Gain persistent access to the network

Mitigation and Workarounds

Upgrade to the Latest Fixed Version

SonicWall has released patches addressing this vulnerability. Organizations should upgrade to the latest fixed version as soon as possible.

Impacted Models: SMA6200, SMA6210, SMA7200, SMA7210, SMA8200v (ESX, KVM, Hyper-V, AWS, Azure), EX6000, EX7000, EX9000

Note: SonicWall Firewall and SMA 100 (SMA200, 210, 400, 410, and 500v) products are not affected by this vulnerability.

Organizations should follow their internal patch management and testing guidelines before deploying updates to minimize operational disruptions.

Workarounds

If immediate patching is not possible, the following mitigations should be applied:

1. Restrict Access to Trusted Sources:
   • Limit access to the Appliance Management Console (AMC) and Central Management Console (CMC) to trusted internal networks only.
   • For Dual-Homed Appliances: Restrict access to administrative consoles (default TCP port 8443) to trusted internal networks accessible via an internal interface only. This will not impact user VPN traffic.
   • For Single-Homed Appliances: Use a firewall to restrict access to administrative consoles (default TCP port 8443) to trusted internal networks. This will not impact user VPN traffic.
2. Review and Implement Security Best Practices:
   • Refer to the SMA1000 Administration Guide, section Best Practices for Securing the Appliance for additional security configurations.
   • Enforce Multi-Factor Authentication (MFA) for administrative accounts.

Organizations are advised to implement these workarounds until patches can be applied to mitigate the risk of exploitation.

What the Cyber Fusion Center is Doing

This vulnerability poses a severe risk to organizations using SonicWall SMA 1000 appliances.Immediate actionis required to mitigate the threat by applying patches, strengthening network defenses, and implementing robust monitoring. Organizations should also prioritize long-term security measures such as vulnerability management, penetration testing, and access controls to minimize future risks.

The CFC will continue to monitor the situation and send an advisory update if needed. Clients subscribed to our vulnerability scan services will receive relevant results if critical vulnerabilities are found within the scope of the scans as soon as a relevant plugin is made available by the scan provider.

• Qualys ID: 732196
• Tenable ID: https://www.tenable.com/plugins/nessus/214591

References

• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0002
• https://arcticwolf.com/resources/blog/cve-2025-23006/
• https://its.ny.gov/2025-010

‍