Skip to content
New Report: Get your copy of The 2024 State of the Internet Report! | Download Today
Advisory

January 27 Advisory: SonicWall RCE Vulnerability Added to CISA KEV [CVE-2025-23006]

Date of Disclosure (source): January 22, 2025
Date Reported as Actively Exploited (source): January 24, 2025

**Update** (January 28, 2025): 

We originally reported that 3,534 exposed SonicWall SMA 1000-series VPNs were potentially vulnerable to CVE-2025-23006. This estimate was based on identifying devices running a vulnerable firmware version, without accounting for whether the management interfaces—specifically affected by this vulnerability—were publicly accessible. These exposed management interfaces are more likely to be targeted by remote actors.

When we filter for just the devices exposing an Appliance or Central Management Console interface, we detect 91 potentially vulnerable login interfaces. 

Below is a query for all exposed management consoles regardless of version, not all of which are necessarily vulnerable (see our policy for sharing Rapid Response queries).

services.software: (vendor="SonicWall" and product="Secure Mobile Access") and services.http.response.html_title:{"Appliance Management Console Login",  "Central Management Console Login"} and not labels: {honeypot, tarpit}

The Censys Perspective section below has been updated to reflect these findings.


CVE-2025-23006 is a critical remote code execution (RCE) vulnerability affecting SonicWall 1000-series Secure Mobile Access (SMA) VPNs with a CVSS score of 9.8. 

The flaw is in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC) versions 12.4.3-02804 and earlier. If successfully exploited, it allows unauthenticated attackers to execute arbitrary OS commands. 

On January 24, 2025, this vulnerability was added to CISA’s list of Known Exploited Vulnerabilities (KEV). While specific details regarding threat activity remain unclear, SonicWall has confirmed reports of active exploitation.

SonicWall SMA vulnerabilities have a history of being targets for cybercriminals, including CVE-2021-20016 and CVE-2021-20028. Specifically, the UNC2447, HelloKitty and FiveHands ransomware groups have been known to target SonicWall SMA vulnerabilities. 

SonicWall has urged users to patch affected instances by upgrading to 12.4.3-02854 (platform-hotfix) and higher versions. Additionally, they have advised customers to restrict access to trust sources for the Appliance & Central Management Consoles. 

 

Field Details
CVE-ID CVE-2025-23006 – CVSS 9.8 (critical) – assigned by CISA-ADP
Vulnerability Description Pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), which in specific conditions could potentially enable a remote unauthenticated attacker to execute arbitrary OS commands.
Date of Disclosure January 22, 2025
Affected Assets SonicWall AMC and CMC in SMA1000-series VPNs
Vulnerable Software Versions  Prior to and including version 12.4.3-02804
PoC Available? We did not observe any public exploits available at the time of writing. 
Exploitation Status This vulnerability was added to CISA KEV on January 24, 2025. 
Patch Status This vulnerability was addressed by the vendor in version 12.4.3-02854 (platform-hotfix) and higher versions.

Censys Perspective

At the time of writing, Censys observed 4,743 exposed SonicWall SMA VPNs. A significant proportion of these devices (42%) are geolocated in the United States. The 4,743 exposures represent our combined observations of all SonicWall SMA VPNs, but we were able to confirm that 3,917 exposures are SMA-1000 series VPNs.

A small percentage of exposed SMA-1000 series VPNs display signs of either the Appliance or Central Management Consoles, and only 91 of these reveal a version that may be vulnerable.

 

Version Vulnerability Status Host Count
12.4.3 Potentially vulnerable 65
12.4.2 Vulnerable 19
12.4.1 Vulnerable 7

This vulnerability was addressed in version 12.4.3-02854 (platform-hotfix), meaning that hosts exposing version 12.4.3 are potentially vulnerable, but we cannot confirm that these hosts are vulnerable because the full build number is not exposed.

Map of Exposed SonicWall SMA VPNs:

Censys Search Query:

services.software: (vendor="SonicWall" and product="Secure Mobile Access") and services.http.response.html_title:{"Appliance Management Console Login",  "Central Management Console Login"} and not labels: {honeypot, tarpit}

Censys ASM Query:

(host.services.software: (vendor="SonicWall" and product="Secure Mobile Access") or web_entity.instances.software: (vendor="SonicWall" and product="Secure Mobile Access")) and host.services.http.response.html_title:{"Appliance Management Console Login",  "Central Management Console Login"} and not host.labels: {honeypot, tarpit}

Censys ASM Risk Query:

risks.name = "Vulnerable SonicWall Secure Mobile Access [CVE-2025-23006]"

Please note that this risk was recently deployed and results may take up to 24 hours to fully propagate. 

References

Attack Surface Management Solutions
Learn more