cbcvebase.
CVE-2025-23006
published 2025-01-23

CVE-2025-23006: Pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management…

PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2025-02-14
Exploited in the wild
EPSS
22.36%
97.4th percentile
Pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), which in specific conditions could potentially enable a remote unauthenticated attacker to execute arbitrary OS commands.

Affected

12 ranges
VendorProductVersion rangeFixed in
msrccbl_mariner_1.0_arm
msrccbl_mariner_1.0_x64
msrccm1_kernel_5.10.174.1-1_on_cbl_mariner_1.0
sonicwallsma1000
sonicwallsma6200_firmware< 12.4.3-0285412.4.3-02854
sonicwallsma6210_firmware< 12.4.3-0285412.4.3-02854
sonicwallsma7200_firmware< 12.4.3-0285412.4.3-02854
sonicwallsma7210_firmware< 12.4.3-0285412.4.3-02854
sonicwallsma8200v< 12.4.3-0285412.4.3-02854
sonicwallsra_ex6000_firmware<= 12.4.3-02804
sonicwallsra_ex7000_firmware<= 12.4.3-02804
sonicwallsra_ex9000_firmware<= 12.4.3-02804

Detection & IOCsextracted from sources · hover to see the quote

versionSMA1000 firmware <= 12.4.3-02804 (platform-hotfix)
  • CVE-2025-23006 is a pre-authentication deserialization vulnerability in SonicWall SMA1000 AMC and CMC. Monitor for unauthenticated inbound requests to the AMC/CMC management interfaces that carry serialized Java/object payloads, which may indicate exploitation attempts.
  • CVE-2025-23006 was chained with CVE-2025-40602 (local privilege escalation) to achieve unauthenticated RCE with root privileges. Detections should look for both vulnerabilities being exploited in sequence on SMA1000 appliances.
  • SMA1000 appliances exposed on the internet (tracked by Shadowserver and Shodan) are actively targeted. Identify and prioritize patching of internet-facing SMA1000 AMC/CMC instances running firmware below 12.4.3-02854.
  • Microsoft's Threat Intelligence Center discovered the flaw. Defenders should monitor Microsoft threat intelligence feeds for additional indicators related to exploitation activity.
  • ·CVE-2025-23006 does NOT affect SMA 100 series products — only SMA1000 AMC and CMC are impacted. Ensure detection and patching efforts are scoped correctly.
  • ·CVE-2025-40602 (the chained LPE) does not affect SSL-VPN running on SonicWall firewalls — only the SMA1000 AMC is affected.
  • ·The CISA KEV remediation due date for CVE-2025-23006 was 2025-02-14. Organizations must apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
  • ·The patched firmware version is 12.4.3-02854 (platform-hotfix) or later. Confirm the exact build version after upgrade to ensure the fix is applied.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_msrc5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.