SonicWall SMA1000, pre-authentication deserialization RCE
A pre-authentication deserialization of untrusted data vulnerability in the SonicWall SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC) could, under specific conditions, allow a remote, unauthenticated attacker to execute arbitrary OS commands. The vulnerability arises from unsafe deserialization of attacker-controlled data. Successful exploitation results in arbitrary operating-system command execution on the appliance.
Overview
CVE-2025-23006 is a critical (CVSS 9.8) pre-authentication deserialization vulnerability in the SonicWall SMA1000 series secure access appliances, specifically in the Appliance Management Console (AMC) and Central Management Console (CMC). Under specific conditions, a remote, unauthenticated attacker can execute arbitrary operating-system commands on the appliance. SonicWall PSIRT disclosed the issue (SNWLID-2025-0002) and noted possible active exploitation, and CISA added it to the Known Exploited Vulnerabilities catalog on January 24, 2025, one day after the NVD publication date of January 23, 2025.
Technical Details
The vulnerability is an instance of CWE-502 (deserialization of untrusted data). The AMC/CMC management interface deserializes attacker-supplied data without adequate validation, allowing an attacker to control the object graph that is reconstructed and ultimately drive execution of arbitrary OS commands. Exploitation requires network access to the management interface but no valid credentials and no user interaction. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating high impact to confidentiality, integrity, and availability.
Impact
- Unauthenticated arbitrary OS command execution on the SMA1000 appliance.
- Full compromise of the secure access gateway and its configuration.
- Exposure of VPN session data and credentials traversing the appliance.
- Pivot opportunity into protected internal networks.
Mitigation
- Upgrade SMA1000 firmware to version 12.4.3-02854 (platform-hotfix) or later.
- Restrict access to the AMC and CMC management interfaces to trusted source IP addresses only.
- Where a fix cannot be applied immediately, limit exposure of the management consoles to the public internet.
- After patching, review the appliance for signs of prior compromise and rotate administrative credentials.
Detection
Review AMC and CMC access logs for anomalous or malformed requests to the management interface and for unexpected administrative activity. Watch for unexpected processes or outbound connections originating from the appliance, and for unrecognized files written to the system. SonicWall strongly advised restricting management-interface access to trusted sources as both a mitigation and a way to reduce attack surface. CISA added CVE-2025-23006 to the Known Exploited Vulnerabilities catalog on January 24, 2025.