CVE-2025-23006

What is SonicWall SMA1000?

SonicWall Secure Mobile Access (SMA) 1000 series appliances are enterprise SSL VPN and remote access gateway appliances used by organizations to provide secure remote access for employees and partners. The SMA1000 includes an Appliance Management Console (AMC) for device administration and a Central Management Console (CMC) for multi-appliance management. Because SMA1000 appliances serve as network access gateways, they are internet-facing by design and sit at the network perimeter. Compromising an SMA1000 gives an attacker the ability to intercept VPN traffic, harvest credentials, disable remote access for legitimate users, and use the appliance as a foothold into the internal network.

Overview

CVE-2025-23006 is a critical pre-authentication deserialization vulnerability (CWE-502, CVSS 9.8) in the SonicWall SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC). An unauthenticated remote attacker can send a crafted request to the management interface that triggers unsafe deserialization, achieving arbitrary OS command execution with root privileges. SonicWall confirmed active in-the-wild exploitation as a zero-day before the January 2025 patch. CISA added it to the KEV catalog the day after the advisory with ransomwareUse: true.

Affected Versions

Note: This vulnerability affects SMA1000 series only, not SMA100 series (different product family).

Technical Details

The vulnerability (CWE-502: Deserialization of Untrusted Data) is in the SMA1000 management interface (AMC/CMC). The management console accepts serialized data objects in certain HTTP request paths without authentication. An attacker crafts a malicious serialized object payload and submits it to the vulnerable endpoint; the appliance deserializes the object and executes the embedded OS commands with root privileges.

SonicWall's advisory noted that exploitation required the management interface to be network-accessible — which is standard for SMA1000 deployments since the AMC/CMC must be reachable for administration. No authentication or prior knowledge of the environment (beyond the appliance's IP address) is required.

Discovery

SonicWall's PSIRT confirmed they were notified of active exploitation before the advisory was published. Microsoft Threat Intelligence was credited with reporting the active exploitation. No individual external researcher is publicly credited for the original vulnerability discovery.

Exploitation Context

SonicWall confirmed active in-the-wild exploitation before the January 2025 advisory — a zero-day. Microsoft Threat Intelligence confirmed exploitation by a Microsoft-tracked threat actor. CISA added CVE-2025-23006 to the KEV catalog on 24 January 2025 — just one day after the advisory — with ransomwareUse: true. The very fast KEV addition (next-day) and ransomware flag indicate CISA had prior intelligence of exploitation before the advisory was published. Post-exploitation of SMA1000 provides network access gateway control, enabling credential interception and lateral movement.

Remediation

1. Update SMA1000 firmware to 12.4.3-02854 or later immediately — download from MySonicWall support portal.
2. Restrict AMC/CMC access: apply firewall or access control rules to limit management interface access to trusted administrative IP ranges. The management interface should never be accessible from untrusted networks or the internet.
3. Review VPN access logs for anomalous session activity, credential usage from unexpected locations, or configuration changes made during the vulnerability window.
4. Rotate all VPN user credentials and administrator passwords if exploitation is suspected — VPN credentials accessible to a compromised gateway should be treated as compromised.
5. Monitor for lateral movement from the SMA1000's network position — a compromised gateway has a trusted position in the network and may be used as an attack pivot.
6. SMA100 series users: this vulnerability does not affect your product — verify you have the correct product line.