CVE-2025-23006
published 2025-01-23CVE-2025-23006: Pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management…
PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2025-02-14
Exploited in the wild
EPSS
22.36%
97.4th percentile
Pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), which in specific conditions could potentially enable a remote unauthenticated attacker to execute arbitrary OS commands.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cm1_kernel_5.10.174.1-1_on_cbl_mariner_1.0 | — | — |
| sonicwall | sma1000 | — | — |
| sonicwall | sma6200_firmware | < 12.4.3-02854 | 12.4.3-02854 |
| sonicwall | sma6210_firmware | < 12.4.3-02854 | 12.4.3-02854 |
| sonicwall | sma7200_firmware | < 12.4.3-02854 | 12.4.3-02854 |
| sonicwall | sma7210_firmware | < 12.4.3-02854 | 12.4.3-02854 |
| sonicwall | sma8200v | < 12.4.3-02854 | 12.4.3-02854 |
| sonicwall | sra_ex6000_firmware | <= 12.4.3-02804 | — |
| sonicwall | sra_ex7000_firmware | <= 12.4.3-02804 | — |
| sonicwall | sra_ex9000_firmware | <= 12.4.3-02804 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2025-23006 is a pre-authentication deserialization vulnerability in SonicWall SMA1000 AMC and CMC. Monitor for unauthenticated inbound requests to the AMC/CMC management interfaces that carry serialized Java/object payloads, which may indicate exploitation attempts. ↗
- →CVE-2025-23006 was chained with CVE-2025-40602 (local privilege escalation) to achieve unauthenticated RCE with root privileges. Detections should look for both vulnerabilities being exploited in sequence on SMA1000 appliances. ↗
- →SMA1000 appliances exposed on the internet (tracked by Shadowserver and Shodan) are actively targeted. Identify and prioritize patching of internet-facing SMA1000 AMC/CMC instances running firmware below 12.4.3-02854. ↗
- →Microsoft's Threat Intelligence Center discovered the flaw. Defenders should monitor Microsoft threat intelligence feeds for additional indicators related to exploitation activity. ↗
- ·CVE-2025-23006 does NOT affect SMA 100 series products — only SMA1000 AMC and CMC are impacted. Ensure detection and patching efforts are scoped correctly. ↗
- ·CVE-2025-40602 (the chained LPE) does not affect SSL-VPN running on SonicWall firewalls — only the SMA1000 AMC is affected. ↗
- ·The CISA KEV remediation due date for CVE-2025-23006 was 2025-02-14. Organizations must apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. ↗
- ·The patched firmware version is 12.4.3-02854 (platform-hotfix) or later. Confirm the exact build version after upgrade to ensure the fix is applied. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_msrc5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-57r3-2prp-v2xh: Pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central M
ghsa_unreviewed·2025-01-23
CVE-2025-23006 [CRITICAL] CWE-502 GHSA-57r3-2prp-v2xh: Pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central M
Pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), which in specific conditions could potentially enable a remote unauthenticated attacker to execute arbitrary OS commands.
VulnCheck
SonicWall SMA1000 Appliances Deserialization Vulnerability
vulncheck·2025·CVSS 9.8
CVE-2025-23006 [CRITICAL] CWE-502 SonicWall SMA1000 Appliances Deserialization Vulnerability
SonicWall SMA1000 Appliances Deserialization Vulnerability
SonicWall SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC) contain a deserialization of untrusted data vulnerability, which can enable a remote, unauthenticated attacker to execute arbitrary OS commands.
Affected: SonicWall SMA1000 Appliances
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0002; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.coveware.com/blog/2025/4/29/the-organizational-structure-of-ransomware-threat-actor-groups-is-evolving-before-our
CISA
SonicWall SMA1000 Appliances Deserialization Vulnerability
cisa·2025-01-24·CVSS 9.8
CVE-2025-23006 [CRITICAL] CWE-502 SonicWall SMA1000 Appliances Deserialization Vulnerability
Vulnerability: SonicWall SMA1000 Appliances Deserialization Vulnerability
Affected: SonicWall SMA1000 Appliances
SonicWall SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC) contain a deserialization of untrusted data vulnerability, which can enable a remote, unauthenticated attacker to execute arbitrary OS commands.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0002 ; https://nvd.nist.gov/vuln/detail/CVE-2025-23006
Remediation Due Date: 2025-02-14
Microsoft
In the Linux kernel before 5.15.13 drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c misinterprets the mlx5_get_uars_page return value (expects it to be NULL in the error case whereas it is
vendor_msrc·2023-03-14·CVSS 5.5
CVE-2023-23006 [MEDIUM] CWE-476 In the Linux kernel before 5.15.13 drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c misinterprets the mlx5_get_uars_page return value (expects it to be NULL in the error case whereas it is
In the Linux kernel before 5.15.13 drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c misinterprets the mlx5_get_uars_page return value (expects it to be NULL in the error case whereas it is actually an error pointer).
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is id
No detection rules found.
No public exploits indexed.
Mandiant
Look What You Made Us Patch: 2025 Zero-Days in Review
blogs_mandiant·2026-03-05
Look What You Made Us Patch: 2025 Zero-Days in Review
Threat Intelligence
# Look What You Made Us Patch: 2025 Zero-Days in Review
March 5, 2026
##### Google Threat Intelligence Group
##### Google Threat Intelligence
Visibility and context on the threats that matter most.
Contact Us & Get a Demo
Written by: Casey Charrier, James Sadowski, Zander Work, Clement Lecigne, Benoît Sevens, Fred Plan
### Executive Summary
Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities exploited in-the-wild in 2025. Although that volume of zero-days is lower than the record high observed in 2023 (100), it is higher than 2024’s count (78) and remained within the 60–100 range established over the previous four years, indicating a trend toward stabilization at these levels.
In 2025, we continued to observe the structural shift, first
Mandiant
Look What You Made Us Patch: 2025 Zero-Days in Review
blogs_mandiant·2026-03-05
Look What You Made Us Patch: 2025 Zero-Days in Review
## Look What You Made Us Patch: 2025 Zero-Days in Review
## Google Threat Intelligence Group
## Google Threat Intelligence
Visibility and context on the threats that matter most.
Written by: Casey Charrier, James Sadowski, Zander Work, Clement Lecigne, Benoît Sevens, Fred Plan
## Executive Summary
Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities exploited in-the-wild in 2025. Although that volume of zero-days is lower than the record high observed in 2023 (100), it is higher than 2024’s count (78) and remained within the 60–100 range established over the previous four years, indicating a trend toward stabilization at these levels.
In 2025, we continued to observe the structural shift, first identified in 2024, toward increased enterprise exploitation. Both
Greynoiseio
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
blogs_greynoiseio·2026-02-02
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Wiz
Crying Out Cloud Monthly Newsletter - January 2026 | Wiz
blogs_wiz·2026-01-22·CVSS 8.7
CVE-2025-55182 [HIGH] Crying Out Cloud Monthly Newsletter - January 2026 | Wiz
Welcome back! In this edition, we bring you the latest in cloud security: noteworthy incidents, exclusive data, and crucial vulnerabilities. Let’s jump in.
## 🔍 Highlights
React2Shell: Critical RCE Vulnerability in React and Next.js
React2Shell (CVE-2025-55182) is a critical, unauthenticated remote code execution vulnerability rooted in insecure deserialization within the React Server Components (RSC) “Flight” protocol, impacting React 19 and RSC-enabled frameworks, most notably Next.js. The flaw affects default configurations, meaning standard production deployments can be exploited with a single crafted HTTP request and no developer misconfiguration, with exploitation demonstrating near-100% reliability.
Since early December 2025, exploitation has been observed in the wild by multipl
Tenable
Exploitation of CVE-2025-40602 chained with CVE-2025-23006
blogs_tenable·2025-12-17·CVSS 9.8
[CRITICAL] Exploitation of CVE-2025-40602 chained with CVE-2025-23006
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Sonicwall warns of new SMA1000 zero-day exploited in attacks
blogs_bleepingcomputer·2025-12-17·CVSS 9.8
CVE-2025-40602 [CRITICAL] Sonicwall warns of new SMA1000 zero-day exploited in attacks
## Sonicwall warns of new SMA1000 zero-day exploited in attacks
## Sergiu Gatlan
SonicWall warned customers today to patch a vulnerability in the SonicWall SMA1000 Appliance Management Console (AMC) that was chained in zero-day attacks to escalate privileges.
According to SonicWall, this medium-severity local privilege escalation security flaw (CVE-2025-40602) was reported by Clément Lecigne and Zander Work of the Google Threat Intelligence Group, and doesn't affect SSL-VPN running on SonicWall firewalls.
"SonicWall PSIRT strongly advises users of the SMA1000 product to upgrade to the latest hotfix release version to address the vulnerability," the company said in a Wednesday advisory .
Remote unauthenticated attackers chained this vulnerability with a critical-severity SMA1000 pre-au
Checkpoint
27th January – Threat Intelligence Report
blogs_checkpoint·2025-01-27
CVE-2024-8963 27th January – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 27th January – Threat Intelligence Report
Stark Aerospace, a US-based manufacturer specializing in missile systems and UAVs, contractor of the US Military and the Department of Defense (DoD), has been targeted by the INC ransomware group. The attackers claim to have exfiltrated 4TB of data, including design documentation, source codes, firmware for various UAVs, contracts with the DoD, supply chain information, and personal data of company instructors.
Check Point Threat Emulation and Harmony Endpoint provide pr
Tenable
CVE-2025-23006: SonicWall Secure Mobile Access (SMA) 1000 Zero-Day Reportedly Exploited
blogs_tenable·2025-01-23·CVSS 9.8
[CRITICAL] CVE-2025-23006: SonicWall Secure Mobile Access (SMA) 1000 Zero-Day Reportedly Exploited
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
SonicWall warns of SMA1000 RCE flaw exploited in zero-day attacks
blogs_bleepingcomputer·2025-01-23·CVSS 9.8
CVE-2025-23006 [CRITICAL] SonicWall warns of SMA1000 RCE flaw exploited in zero-day attacks
## SonicWall warns of SMA1000 RCE flaw exploited in zero-day attacks
## Bill Toulas
SonicWall is warning about a pre-authentication deserialization vulnerability in SonicWall SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), with reports that it has been exploited as a zero-day in attacks.
The flaw, tracked as CVE-2025-23006 and rated critical (CVSS v3 score: 9.8), could allow remote unauthenticated attackers to execute arbitrary OS commands under specific conditions.
The vulnerability affects all firmware versions of the SMA100 appliance up to 12.4.3-02804 (platform-hotfix).
SonicWall highlighted that it has received reports that the vulnerability was exploited as a zero-day in attacks.
"SonicWall PSIRT has been notified of possible active exploitation
Wiz
CVE-2025-40602 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-40602 [CRITICAL] CVE-2025-40602 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-40602 :
SonicWall SMA 8200v Appliance vulnerability analysis and mitigation
A local privilege escalation vulnerability due to insufficient authorization in the SonicWall SMA1000 appliance management console (AMC).
Source : NVD
## 6.6
Score
Published December 18, 2025
Severity MEDIUM
CNA Score 6.6
High-profile Vulnerability Yes
Affected Technologies
SonicWall SMA 8200v Appliance
Has Public Exploit Yes
Has CISA KEV Exploit Yes
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 54
Exploitation Probability (EPSS) 0.3
Affected packages and libraries
cpe:2.3:a:sonicwall:sma8200v
Sources
Linux Severity MEDIUM Has Fix Added at: Dec 18, 2025
Windows Severity MEDIUM Has Fix Added at: Dec 18, 2025
## Get a CVE risk assessme
Greynoiseio
NoiseLetter July 2025
blogs_greynoiseio
NoiseLetter July 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2025-01-23
Published
2025-01-24
Added to CISA KEV
Exploited in the wild