Threat Insight

Critical Vulnerability Alert: SonicWall SMA1000 Exploited

A pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), which could potentially enable a remote, unauthenticated attacker to execute arbitrary OS commands.

Devices with the vulnerable firmware versions that has their administrative access externally exposed are especially at risk of exploitation.
Administrative access refers to the ability to access the web-based Appliance Management and Central Management consoles (AMC & CMC) on the configured port (default 8443) [1].

  • Insight
SonicWall SMA1000 devices impacted by CVE-2025-23006 vulnerability, highlighting risk of remote command execution and recommended updates

CVE

CVE-2025-23006

Affected Products

Product: SMA1000 Models: SMA6200 SMA6210 SMA7200 SMA7210 SMA8200v (ESX, KVM, Hyper-V, AWS, Azure) EX6000 EX7000 EX9000

Exploitation

This vulnerability has been confirmed as being actively exploited in the wild[1].

Upgrade any of the vulnerable versions to version 12.4.3-02854 or newer. Additionally, customers are reminded to restrict administrative access to SMA & CMS appliances: Dual-homed appliances: Limit access to administrative consoles (default TCP port 8443) to trusted internal networks accessible via an internal interface only (will not impact user VPN traffic). Single-homed appliances: Use a firewall to limit access to administrative consoles (default TCP port 8443) to trusted internal networks (will not impact user VPN traffic)[1].

References

[1] https://www.sonicwall.com/support/knowledge-base/product-notice-urgent-security-notification-sma-1000/250120090802840