SonicWall flags critical bug likely exploited as zero-day, rolls out hotfix
Big organizations and governments are main users of these gateways
SonicWall is warning customers of a critical vulnerability that was potentially already exploited as a zero-day.
The bug affects SonicWall's Secure Mobile Access (SMA) line, specifically the SMA 1000 product. The company stated in an advisory on Thursday that a remote unauthenticated attacker could execute arbitrary OS commands "in specific conditions."
SonicWall didn't specify what these conditions were, likely out of concern about giving criminals more details on how to exploit CVE-2025-23006, but given the 9.8 severity rating, it's safe to assume these conditions can be met in many cases.
Regardless, The Register requested additional details from the vendor but its spokespeople simply referred us back to the advisory.
What we do know is that CVE-2025-23006 affects the SMA 1000's Appliance Management Console (AMC) and Central Management Console (CMC), both of which are used for admin tasks including configuring and monitoring hardware and creating new admin accounts.
Although little has been said about the nature of the vulnerability – again, likely to give defenders time to apply patches – we can infer some elements from the breakdown of the severity score calculation.
The attack complexity is "low," no privileges are required for exploitation, and the risk to confidentiality, integrity, and system availability is rated "high" in all three categories.
The vendor released hotfix version 12.4.3-02854 (platform-hotfix), nullifying the issue. All prior versions are considered vulnerable.
- Asus lets processor security fix slip out early, AMD confirms patch in progress
- Oracle emits 603 patches, names one it wants you to worry about soon
- Microsoft issues out-of-band fix for Windows Server 2022 NUMA glitch
- Patch procrastination leaves 50,000 Fortinet firewalls vulnerable to zero-day
A workaround is also available. The advisory reads: "To minimize the potential impact of the vulnerability, please ensure that you restrict access to trusted sources for the AMC and CMC."
These measures should ideally have already been taken, since they're part of the product's admin documentation, listed under "Best Practices for Securing the Appliance."
SonicWall's website states that the SMA 1000 gateways are used by the likes of MSSPs, enterprises, and government agencies to secure remote access to corporate datacenters hosted on-prem, in the cloud, or in hybrid setups.
It's not clear how many devices are currently operational across the globe, but we've asked the vendor to clarify this.
The advisory also clearly states that SonicWall Firewall and the SMA 100 series of appliances, designed for small and medium businesses, are unaffected. SonicWall credits the Microsoft Threat Intelligence Center for the discovery. ®