Germany's CERT-Bund has also issued a warning, urging system administrators to install updates immediately to protect against this vulnerability.

The flaw involves a pre-authentication deserialization of untrusted data within the Appliance Management Console (AMC) and Central Management Console (CMC), which are essential for administrative tasks.

Research indicates that approximately 2,380 SMA1000 devices are currently exposed online, increasing their vulnerability to attacks.

If exploited, the vulnerability could allow attackers to steal hashed credentials from logged-in users, which could then be cracked offline, posing a significant security risk.

As of now, no proof-of-concept code for CVE-2025-23006 has been released, but it is anticipated that attackers will seek to exploit this flaw once it becomes widely known.

SonicWall has reported a critical remote command execution vulnerability, designated CVE-2025-23006, which has a severe CVSS score of 9.8.

SonicWall has a troubling history of vulnerabilities in its SMA products, which have been targeted by ransomware groups and are frequently listed among exploited vulnerabilities by various security agencies.

In response to the vulnerability, SonicWall has released a hotfix (version 12.4.3-02854) and urged customers to upgrade immediately to mitigate risks.

Experts recommend restricting access to the AMC and CMC to trusted sources as a best practice for security, aligning with SonicWall's guidance.

This marks the third critical security flaw identified in a security appliance since the start of 2025, following similar issues with Ivanti and FortiNet.

This vulnerability affects the Secure Mobile Access (SMA) 1000 Series appliances and could allow a remote unauthenticated attacker to execute arbitrary operating system commands under specific conditions.

The Microsoft Threat Intelligence Center (MSTIC) discovered and reported this security flaw to SonicWall, indicating that active exploitation is already occurring.