SonicWall has issued an urgent security advisory for a critical vulnerability affecting its SMA1000 series appliances, which is actively being exploited in the wild. The vulnerability, tracked as CVE-2025-23006, carries a CVSS score of 9.8 and allows unauthenticated attackers to execute arbitrary commands remotely.
Microsoft's Threat Intelligence team discovered and reported the vulnerability to SonicWall. The flaw affects the Appliance Management Console (AMC) and Central Management Console (CMC) interfaces of SMA1000 series devices, specifically targeting versions 12.4.3-02804 and earlier.
The vulnerability stems from a pre-authentication deserialization issue of untrusted data, which could allow attackers to execute operating system commands without requiring authentication. Particularly at risk are appliances with administrative access exposed to the public internet, typically configured on port 8443.
Affected models include SMA6200, SMA6210, SMA7200, SMA7210, SMA8200v (available for various platforms including ESX, KVM, Hyper-V, AWS, and Azure), EX6000, EX7000, and EX9000. SonicWall has confirmed that their Firewall and SMA 100 series products are not affected by this vulnerability.
In response, SonicWall has released version 12.4.3-02854 to patch the vulnerability. The company strongly urges customers to implement immediate upgrades on affected devices.
For organizations unable to update immediately, SonicWall recommends implementing mitigation measures, including:
- For dual-homed appliances, restricting administrative console access to trusted internal networks via an internal interface
- For single-homed appliances, use a firewall to limit administrative console access to trusted internal networks. These measures can be implemented without affecting user VPN traffic.
Organizations using affected devices should contact their authorized SonicWall partner or managed services provider for assistance with the upgrade process.