SonicWall SMA Appliances Exploited in Zero-Day Attacks

Critical security flaw in SonicWall SMA 1000 appliances (CVE-2025-23006) exploited as a zero-day. Rated CVSS 9.8, patch immediately to protect systems.

SonicWall has identified a critical security flaw in its Secure Mobile Access (SMA) 1000 Series appliances, which it believes has been exploited as a zero-day vulnerability. Learn about the vulnerability, impact, and how to mitigate the risk.

SonicWall issued a security advisory (SNWLID-2025-0002) on January 22nd, 2025, urging customers to address a critical zero-day vulnerability (CVE-2025-23006) impacting its Secure Mobile Access (SMA) 1000 Series appliances. Microsoft Threat Intelligence Centre discovered the flaw.

The vulnerability, rated 9.8 out of 10.0 on the CVSS scoring system, occurs due to improper handling of untrusted data during deserialization in the AMC (Appliance Management Console) and CMC (Central Management Console) components of the SMA 1000. Deserialization is a technical term for converting a stream of data back into a usable format.

In this case, attackers can exploit weaknesses in how the SMA 1000 handles external data, possibly injecting malicious code to execute arbitrary commands on the system. The consequences of exploiting this vulnerability are severe. A successful attack could allow remote, unauthenticated attackers to gain complete control over affected devices.

Moreover, attackers could steal sensitive information stored on the appliance, including user credentials, configuration data, or even confidential business documents, and may manipulate or disable critical system functions, rendering the appliance inoperable. Furthermore, a compromised SMA 1000 appliance could be used as a launching pad for further attacks within the network.

Under certain conditions, this flaw could allow remote attackers to execute arbitrary commands, potentially compromising confidentiality, integrity, and availability.

SonicWall, a provider of secure remote access solutions for organizations like managed security service providers, enterprises, and government agencies, has been notified of potential active exploitation by unknown threat actors and urges customers to apply the fixes promptly. Germany’s CERT-Bund has also issued advisories (PDF) for immediate patch implementation, citing online exposure of 2,380 SMA1000 devices on Shodan.

Here’s what SonicWall recommended in its advisory:

• Apply the Hotfix Immediately: Update your SMA 1000 appliance to the latest hotfix version (12.4.3-02854 or higher) to patch the vulnerability.

• Restrict Access to Management Consoles: As a temporary workaround, limit access to the AMC and CMC consoles to trusted sources only. Refer to the SMA 1000 Administration Guide for best practices on securing these consoles.

This vulnerability exclusively impacts SonicWall SMA 1000 Series appliances running version 12.4.3-02804 (or earlier). SonicWall Firewalls and SMA 100 series products are not affected.

In a comment to Hackread.com, Bugcrowd founder Casey Ellis described the vulnerability as “gnarly” and emphasized that it reflects a broader trend of attackers increasingly targeting weaknesses in remote access systems and network devices.

“This vulnerability is gnarly and continues the trend of targeting vulnerabilities in Remote Access systems and network concentrators. Aside from patching, organizations should ensure that management interfaces for the SMA 1000, or any other device for that matter given the cluster of vulnerabilities, research, and exploitation, are not publicly accessible.“

1. UNC5820 Exploits FortiManager 0-Day Flaw (CVE-2024-47575)
2. Millions of Email Servers Exposed Due to Missing TLS Encryption
3. Goldoon Botnet Hits D-Link Devices by Exploiting 9-Year-Old Flaw
4. Fake PoC Exploit Targets Cybersecurity Researchers with Malware
5. Zendesk’s Subdomain Registration Exposed to Pig Butchering Scams