SonicWall Untrusted Data Pre-authentication Deserialization [CVE-2025-23006] – January 24, 2025

The SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC) SonicWall products have a high severity (CVSS 9.8) vulnerability [CVE-2025-23006] affecting critical network infrastructure.

SonicWall SMA1000 allows companies to securely bridge on-prem and cloud infrastructure and authenticate users to give them access to needed in company resources. These appliances play a critical role for the security of organizations, but also make them attractive targets for attackers.

There’s a flaw with data deserialization before authentication, allowing an attacker to force the device to read arbitrary data (and potentially execute arbitrary commands) without being authenticated.

See the resource center.

News

SonicWall has released an advisory that pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC). In specific conditions, this could potentially enable a remote unauthenticated attacker to execute arbitrary OS commands.

SonicWall has been notified of possible active exploitation of the referenced vulnerability by threat actors. They strongly advise users of the SMA1000 product to update to the hotfix version to address the vulnerability.

• SonicWall has indicated there is evidence of exploitation.
• Data from Cybersixgill, a Bitsight company, confirms the exploitation evidence.
• Bitsight threat Intelligence indicates there are already a dozen github repositories and vigorous discussion of the vulnerability on dark web forums.
• Bitsight third party data indicates that SonicWall is a top 200 provider in the global supply chain.

Bitsight Status

23-JAN-2025

Bitsight began an active investigation and is working on a detection mechanism. The team is developing a low confidence capability. Early detection data should be available in 2-4 calendar days (Jan 26 - Jan 28).