On January 21, 2025, SonicWall disclosed a critical remote command execution vulnerability, tracked as CVE-2025-23006, after being notified by the Microsoft Threat Intelligence Center (MSTIC).

This vulnerability has a CVSS v3 score of 9.8, allowing remote unauthenticated attackers to execute arbitrary OS commands under specific conditions.

CVE-2025-23006 involves a pre-authentication deserialization of untrusted data vulnerability in the Appliance Management Console (AMC) and Central Management Console (CMC), which are essential for administrative tasks.

SonicWall acknowledged MSTIC for identifying the vulnerability, which has raised concerns due to the potential for active exploitation.

SonicWall's advisory indicated possible active exploitation of this vulnerability by threat actors, urging customers to apply fixes immediately.

To address the vulnerability, SonicWall released version 12.4.3-02854, impacting earlier versions, and advised users to upgrade to this latest hotfix.

As a precaution, SonicWall recommends restricting access to the AMC and CMC to trusted networks, aligning with best security practices.

SonicWall has a history of vulnerabilities in its SMA products, which have previously been targeted by ransomware groups, raising security concerns.

The SMA 1000 gateways are widely used by managed security service providers, enterprises, and government agencies for secure remote access, making unpatched flaws particularly risky.

As of the article's publication, no proof-of-concept code for CVE-2025-23006 has been released, but it is anticipated that attackers will attempt to exploit this flaw once it becomes publicly known.

Germany's CERT-Bund has issued a warning, urging system administrators to install updates immediately to mitigate risks associated with this vulnerability.

While the Microsoft Threat Intelligence Center reported the issue, they have not provided details on potential exploitation scenarios.