top of page
perceptive_background_267k.jpg

Sonicwall warns of new SMA1000 zero-day exploited in attacks

Published:

17 December 2025 at 17:44:18

Alert date:

17 December 2025 at 18:01:33

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Network Infrastructure, Zero-Day Vulnerabilities, Critical Infrastructure

SonicWall warned customers to patch a vulnerability in the SonicWall SMA1000 Appliance Management Console (AMC) that was being exploited in zero-day attacks to escalate privileges. The vulnerability is actively being exploited in the wild, requiring immediate patching. This represents a critical security issue affecting SonicWall's secure mobile access appliances.

Technical details

Remote unauthenticated attackers chained a medium-severity local privilege escalation vulnerability (CVE-2025-40602) in SonicWall SMA1000 Appliance Management Console with a critical-severity pre-authentication deserialization flaw (CVE-2025-23006) to achieve unauthenticated remote code execution with root privileges. The vulnerability was reported by Google Threat Intelligence Group and exploited in zero-day attacks. Over 950 SMA1000 appliances are currently exposed online according to Shadowserver.

Mitigation steps:

SonicWall PSIRT strongly advises users of the SMA1000 product to upgrade to the latest hotfix release version to address the vulnerability. CVE-2025-23006 was remediated in build version 12.4.3-02854 (platform-hotfix) and higher versions released on Jan 22, 2025. Organizations should patch immediately given the critical roles these appliances play across enterprises, government, and critical infrastructure.

Affected products:

SonicWall SMA1000 Appliance Management Console
SonicWall SMA 100 series devices
SonicWall Gen 7 firewalls

Related links:

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0019
https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-sma1000-rce-flaw-exploited-in-zero-day-attacks/
https://dashboard.shadowserver.org/statistics/iot-devices/time-series/?date_range=7&vendor=ivanti&model=epm&dataset=count&limit=100&group_by=geo&stacking=stacked
https://www.bleepingcomputer.com/news/security/sonicwall-says-state-sponsored-hackers-behind-security-breach-in-september/
https://www.bleepingcomputer.com/news/security/sonicwall-warns-customers-to-reset-credentials-after-MySonicWall-breach/
https://www.bleepingcomputer.com/news/security/sonicwall-vpn-accounts-breached-using-stolen-creds-in-widespread-attacks/
https://www.bleepingcomputer.com/news/security/sonicwall-releases-sma100-firmware-update-to-wipe-rootkit-malware/
https://www.bleepingcomputer.com/news/security/sonicwall-sma-devices-hacked-with-overstep-rootkit-tied-to-ransomware/
https://www.bleepingcomputer.com/news/security/sonicwall-finds-no-sslvpn-zero-day-links-ransomware-attacks-to-2024-flaw/
https://www.bleepingcomputer.com/news/security/surge-of-akira-ransomware-attacks-hits-sonicwall-firewall-devices/
https://www.bleepingcomputer.com/news/security/akira-ransomware-exploiting-critical-sonicwall-sslvpn-bug-again/

Related CVE's:

Related threat actors:

IOC's:

OVERSTEP rootkit malware

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page