- Microsoft found a zero-day in a SonicWall remote access appliance
- It was allegedly already being exploited in the wild
- Hackers were using it to execute code remotely
Hackers are abusing a zero-day in a SonicWall product to break into corporate networks and deploy malware, experts have warned.
In a security advisory, SonicWall urged its users to apply the patch, or deploy a workaround, as soon as possible.
The vulnerability is tracked as CVE-2025-23006. The National Vulnerability Database (NVD) gave it a severity score of 9.6/10 – critical. It was discovered by Microsoft in the SMA 1000 Appliance Management Console (AMC) and Central Management Console (CMC), tools designed to manage and control SonicWall network security devices, particularly in environments where secure remote access and centralized management are priorities.
Thousands of vulnerable appliances
The bug was described as a “pre-authentication deserialization of untrusted data”, and says it can, in specific conditions, enable a remote unauthenticated attacker to execute arbitrary OS commands.
“SonicWall PSIRT has been notified of possible active exploitation of the referenced vulnerability by threat actors,” the advisory reads. “We strongly advise users of the SMA1000 product to upgrade to the hotfix release version to address the vulnerability.”
Both SonicWall and Microsoft are not saying who the attackers are, who the victims were, or how many there were.
Citing results from the Shodan search engine, BleepingComputer said there are “several thousand” SMA 1000 appliances exposed on the internet, hinting a potentially wide attack landscape for the threat actors. In recent times, threat actors have been increasingly focusing on edge devices, since they’re not as diligently monitored and allow them to break into the target infrastructure and move laterally, while remaining somewhat hidden.
SonicWall added that Firewall and SMA 100 series products are not affected by the vulnerability.
In the advisory, the company also added that to minimize the potential impact of the flaw, users should make sure they restrict access to trusted sources for the Appliance Management Console (AMC) and Central Management Console (CMC).
Via TechCrunch