Nearly 3,700 SonicWall SMA 1000 series VPNs are exposed to the internet after disclosure of a recently discovered critical vulnerability, researchers at Censys said Monday in a blog post. 

SonicWall on Friday confirmed that a remote code execution vulnerability was under active exploitation by attackers. The vulnerability, listed as CVE-2025-23006, allows an attacker with access to the appliance’s internal interface to take over the device, according to a post on X from Microsoft Threat Intelligence, which initially discovered and reported the flaw. 

However, researchers from Shadowserver told Cybersecurity Dive Monday they only see about 180 exposed and potentially vulnerable SonicWall SMA 1000 series VPNs. 

SonicWall previously warned that appliances running the vulnerable firmware versions with administrative access to web-based Appliance Management and Central management consoles were especially at risk if they are exposed to the public internet.

Microsoft Threat Intelligence last week published evidence of threat activity targeting the vulnerability, and SonicWall on Friday confirmed that attackers were exploiting it. It is not immediately known what type of post-exploitation activity is taking place nor has any information on victims been disclosed.

The current cyberattack campaign marks the latest in a series of security issues related to SonicWall appliances, which have been targeted by a number of financially motivated threat groups over the years. 

Prior vulnerabilities, including CVE-2021-20016 and CVE-2021-20028 have been weaponized by a variety of attackers, including UNC2447, HelloKitty and Five Hands ransomware groups, according to Censys. 

A spokesperson for SonicWall was not immediately available for comment.