SonicWall issued an alert Friday that a critical remote code execution vulnerability in its SMA appliances is under active exploitation by malicious hackers and urged customers to immediately update any vulnerable firmware.
Researchers from Microsoft Threat Intelligence had warned SonicWall about the pre-authentication remote code execution vulnerability, listed at CVE-2025-23006, which could allow attackers with access to the internal interface of the appliance to gain control, according to a post on X. The vulnerability has a severity score of 9.8.
SonicWall said in a security bulletin that appliances running vulnerable firmware versions with administrative access to web-based Appliance Management and Central Management consoles exposed to the public internet are particularly vulnerable to attack.
Appliance models affected by the critical deserialization of untrusted data vulnerability include SMA6200, SMA6210, SMA7200, SMA7210, SMA8200v (ESX, KVM, Hyper-V, AWS, Azure) and EX6000, EX7000 and EX9000. Firmware versions containing the security flaw include 12.4.3-02804 and earlier.
The Cybersecurity and Infrastructure Security Agency added the CVE to its known exploited vulnerabilities catalog on Friday.
SonicWall said its customers and partner firms had not previously reported any exploitation activity. Microsoft Threat Intelligence researchers, however, alerted SonicWall that it had discovered evidence of threat activity. Microsoft researchers declined to comment beyond what they posted on X.
The SMA 1000 series appliances allow “enterprise grade” secure remote access to organizations in a similar manner as other network devices, according to Rapid7. As such they are considered high value targets, Caitlin Condon, director of vulnerability intelligence at Rapid7, said via email.
“Ransomware groups in particular have historically been fans of SonicWall appliances and firewall vulnerabilities,” Condon added. “If previous ransomware campaigns targeting SMA100 series devices are any indication, SMA1000 devices will likely also see exploit attempts.”
Prior attacks involved ransomware groups, including DarkSide, exploiting an SQL injection vulnerability in SMA100 devices, listed as CVE-2021-20016. DarkSide was linked to the 2021 attacks against Colonial Pipeline, which for nearly a week disrupted gas service for motorists across much of the south and east coast of the U.S.
SonicWall noted that neither SMA100 devices nor Firewall SSL VPN devices are affected by the CVE-2025-23006 vulnerability.
Just last year, flaws in the company’s firewalls were targeted in a series of ransomware attacks. A critical vulnerability in SonicWall SonicOS, listed as CVE-2024-40766, faced active exploitation by hackers, including an affiliate of Akira ransomware.
