SonicWall’s Secure Mobile Access appliance faces zero-day attacks

by CybrGPT
0 comment

The bug affectq the management interfaces of SMA1000 Secure Mobile Access appliances, allowing the execution of arbitrary OS commands.

Credit: rafapress / Shutterstock

A critical bug in SonicWall’s remote access gateway, Secure Mobile Access (SMA1000), is likely being used in zero-day attacks, allowing remote code execution (RCE) by unauthenticated actors.

The issue, tracked as CVE-2025-23006, has received a critical rating of CVSS 9.8/10 for its ability to allow the deserialization of untrusted or malicious data before authentication.

“Pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), which in specific conditions could potentially enable a remote unauthenticated attacker to execute arbitrary OS commands,” SonicWall said in an advisory.

The company has credited the discovery to Microsoft Threat Intelligence Center (MSTIC) and has released a hotfix for the flaw.

The bug has zero-day exploits

Without revealing further details, the advisory acknowledged the existence of zero-day exploitation for the flaw.

“SonicWall PSIRT has been notified of possible active exploitation of the referenced vulnerability by threat actors,” it added. “We strongly advise users of the SMA1000 product to upgrade to the hotfix release version to address the vulnerability.”

Speaking on the vulnerability’s in-the-wild exploitation, Boris Cipot senior security engineer at Black Duck said, “Since we are living in a world where remote work is a broad trend, such incidents are important to track. Securing mobile access points is one of the key points in enterprise infrastructure resilience.”

SMA1000 appliances provide secure remote access and are prime targets for attackers, making it crucial for organizations to promptly apply patches to prevent breaches, Cipot added.

Microsoft team may reveal additional details on the exploitation at a later date.

A patch is now available

The bug is said to be affecting all firmware versions of the SMA1000 series up to 12.4.3-02854. A hotfix has been issued with version 12.4.3-02854 and higher, according to the advisory.

SonicWall outlined a workaround in the form of restricting access to trusted sources for the AMC and CMC, should immediate patching not be possible.

Elaborating on such precautions, Casey Ellis, founder of crowdsourced cybersecurity platform Bugcrowd, said, “Aside from patching, organizations should be ensuring that management interfaces for the SMA 1000, or any other device for that matter, given the cluster of vulnerabilities, research, and exploitation, are not publicly accessible.”

In an X post on Thursday, the German Computer Emergency Response Team, CERT-Bund, urged IT managers running affected systems to promptly apply patches. Several researchers have reported using exposure search engines like Shodan Search to find more than 2000 exposed SMA1000 devices online. SonicWall, now, has disclosed two highly exploitable security flaws within a month, the first being the SonicOS SSLVPN bug reported earlier in January that attackers could use for authentication bypass.

Source link

You may also like

Leave a Comment

Stay informed with the latest in cybersecurity news. Explore updates on malware, ransomware, data breaches, and online threats. Your trusted source for digital safety and cyber defense insights.

BuyBitcoinFiveMinute

Subscribe my Newsletter for new blog posts, tips & new photos. Let’s stay updated!

© 2025 cybrgpt.com – All rights reserved.