Alert Essentials:

A pre-authentication remote command execution is being actively exploited in management consoles of the SonicWall SMA 1000 series.

Upgrade impacted models immediately.

Email Team

Detailed Threat Description:

A critical deserialization of untrusted data in the Appliance Management Console and Central Management Console of Secure Web Access 1000 series appliances is being actively exploited.

This vulnerability could allow a remote, unauthenticated attacker to execute arbitrary commands on vulnerable devices, possibly granting the hacker complete control. Appliances with vulnerable firmware versions and administrative access exposed to the public internet are especially at risk of exploitation.

CVE-2025-23006 has been added to CISA’s list of Known Exploitable Vulnerabilities. SonicWall recommends immediately upgrading to version 12.4.3-02854 (platform-hotfix) or later.

Workaround: To minimize the potential impact, the Appliance Management Console (AMC) and Central Management Console (CMC) should be restricted to trusted sources.

Impacts on Healthcare Organizations:

If this flaw is exploited in a healthcare environment, severe consequences will ensue. It may lead to compliance violations, data breaches, ransomware attacks, or reputational damage to the organization. Institutions should promptly upgrade vulnerable devices or apply mitigations to decrease the threat’s impact.

Affected Products / Versions:

  • Appliance Management Console (AMC) versions 12.4.3-02804 and earlier using the default port of 8443
  • Central Management Console (CMC) versions 12.4.3-02804 and earlier using the default port of 8443

CVEs
CVE-2025-23006-CWE-502- (CVSS 9.8)

Product Impacted Models Impacted Version Fixed Models Fixed Version
SMA1000 SMA6200, SMA6210, SMA7200, SMA7210, SMA8200v (ESX, KVM, Hyper-V, AWS, Azure),
EX6000, EX7000, EX9000		 12.4.3-02804 and earlier versions SMA6210, SMA7200, SMA7210, SMA8200v (ESX, KVM, Hyper-V, AWS, Azure) 12.4.3-02854 and newer

Recommendations:

Engineering Recommendations:

  • Identify all SonicWall SMA 1000 devices in the organization
  • Schedule a maintenance window to upgrade vulnerable appliances as soon as possible
  • Ensure you have all necessary backups before starting the process
  • Dual-homed appliances: Limit access to administrative consoles (default TCP port 8443) to trusted internal networks accessible via an internal interface only (will not impact user VPN traffic)
  • Single-homed appliances: Use a firewall to limit access to administrative consoles (default TCP port 8443) to trusted internal networks (will not impact user VPN traffic)
  • Limit access to the Appliance Management Console (AMC) and Central Management Console (CMC) to trusted sources only
  • Ensure SMA appliances are not directly accessible from the internet and restrict their access to only essential resources within your network
  • Implement strong authentication measures for accessing the SMA 1000 device, such as multi-factor authentication if available
  • Monitor your SMA 1000 appliance closely for any suspicious activities or unauthorized access attempts
  • A Tenable plugin was released on January 24, 2025. #214591: SonicWall SMA 1000 Series < 12.4.3-02854 Pre-authentication Remote Command Execution (SNWLID-2025-0002)

Leadership/Program Recommendations:

  • Educate IT and security teams about the vulnerability and the importance of timely patching
  • Implement a process for regular security audits to identify and address vulnerabilities promptly
  • Review and update your organization’s incident response plan to include specific steps for addressing this vulnerability
  • Develop a clear communication plan to inform stakeholders about the steps being taken to address the vulnerability

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.

References: