SonicWall has confirmed that a recently discovered vulnerability affecting its Secure Mobile Access (SMA) 1000 series products has been exploited in the wild.
The company published an advisory last week to inform customers that the Appliance Management Console (AMC) and Central Management Console (CMC) administration tools of the secure access gateway are affected by a critical untrusted data deserialization issue that allows remote command execution without authentication.
The zero-day flaw, tracked as CVE-2025-23006, has been patched in SMA1000 appliances with the release of version 12.4.3-02854.
SonicWall, which learned about the zero-day from Microsoft, initially said it was aware of “possible active exploitation”, but in an urgent security notification published after its initial advisory the company confirmed in-the-wild exploitation, urging customers to install the available firmware updates as soon as possible.
“Appliances on vulnerable firmware versions, with administrative access exposed to the public internet, are especially at risk of exploitation,” SonicWall warned. “Administrative access refers to the ability to access the web-based Appliance Management and Central Management consoles (AMC & CMC) on the configured port (default 8443).”
In addition to providing patches, SonicWall has advised customers to restrict administrative access to SMA and Central Management Server (CMS) appliances. SonicWall Firewall and SMA 100 series products are not affected. The company will soon provide information that customers can use to check the integrity of their devices.
Microsoft did not want to share any information about the attacks exploiting CVE-2025-23006 when contacted by SecurityWeek.
However, in a message posted on X, Microsoft Threat Intelligence urged organizations to take immediate action.
“We identified CVE-2025-23006 and reported it to SonicWall upon discovery. Threat actors with access to the internal interface of the appliance (in both single- & dual-homed interface configurations) can exploit CVE-2025-23006 to conduct remote code execution,” Microsoft said.
The Shodan and Censys search engines show roughly 2,000 internet-exposed SMA appliances, while Netlas shows approximately 4,000 instances, a majority located in the United States.
However, one researcher said only 215 of the devices found on Shodan appear to expose their management interface and are affected by CVE-2025-23006.
CISA has added CVE-2025-23006 to its Known Exploited Vulnerabilities (KEV) catalog, instructing federal agencies to address the flaw by February 14.
It’s not uncommon for threat actors to exploit SonicWall product vulnerabilities. CISA’s KEV list currently contains 11 SonicWall vulnerabilities, including five affecting SMA products.
Related: SonicWall Patches Authentication Bypass Vulnerabilities in Firewalls
Related: New VPN Attack Demonstrated Against Palo Alto Networks, SonicWall Products
Related: SonicWall Patches 6 Vulnerabilities in Secure Access Gateway
