Critical Zero-Day Vulnerability in SonicWall’s SMA 1000 Series Under Active Exploitation

January 24, 2025

SonicWall has alerted its customers about a critical security vulnerability, identified as CVE-2025-23006, which affects its Secure Mobile Access (SMA) 1000 Series appliances. The flaw, which has a CVSS score of 9.8, is a pre-authentication deserialization of untrusted data issue in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC). It is believed to have been exploited in active attacks as a zero-day.

The advisory issued by the company states, “Pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), which in specific conditions could potentially enable a remote unauthenticated attacker to execute arbitrary OS commands.” SonicWall's Product Security Incident Response Team (PSIRT) has been informed of possible active exploitation of the vulnerability by threat actors. The company strongly advises users of the SMA1000 product to upgrade to the hotfix release version to address the vulnerability.

The vulnerability affects version 12.4.3-02804 (platform-hotfix) and earlier versions. SonicWall is urging its customers to remediate the vulnerability as soon as possible. In response to the issue, the company has released Version 12.4.3-02854, which addresses the flaw. The vulnerability was discovered by the Microsoft Threat Intelligence Center (MSTIC). SonicWall has not disclosed details about the attacks that exploited the flaw as a zero-day, nor the attackers’ motivations.

Experts also recommend restricting AMC and CMC access to trusted sources and following the SMA1000 Administration Guide’s best practices to reduce the vulnerability’s impact. The advisory concludes, “To minimize the potential impact of the vulnerability, please ensure that you restrict access to trusted sources for the Appliance Management Console (AMC) and Central Management Console (CMC). Refer to the SMA1000 Administration Guide, section – Best Practices for Securing the Appliance.”

In March 2023, researchers from Mandiant reported that alleged China-linked threat actors, known as UNC4540, had deployed custom malware on a SonicWall SMA appliance. The malware enables the attackers to steal user credentials, maintain persistence through firmware upgrades, and gain shell access. The analysis of a compromised device revealed the presence of a set of files used by the attacker to gain highly privileged and available access to the appliance. The malicious code is composed of a series of bash scripts and a single ELF binary identified as a TinyShell variant. The researchers believe that the threat actors have a deep understanding of the appliance. The malware was specifically designed for the system to provide stability and maintain persistence, even in the event of firmware upgrades.

The primary purpose of the malware appears to be to steal hashed credentials from all logged-in users. It does this in firewalld by routinely executing the SQL command select userName,password from Sessions against sqlite3 database /tmp/temp.db and copying them out to the attacker created text file /tmp/syslog.db. The source database /tmp/temp.db is used by the appliance to track session information, including hashed credentials. Once retrieved by the attacker, the hashes could be cracked offline.

Latest News

• Urgent Call to Secure Systems Against Ongoing Attacks Exploiting Microsoft Outlook RCE Vulnerability
• Critical Authentication Bypass Vulnerability in SonicOS: Proof-of-Concept Revealed
• CISA Adds Apple's Flaw to Known Exploited Vulnerabilities Catalog
• Apple Patches First Actively Exploited Zero-Day Vulnerability of the Year
• Critical Security Flaw Identified in Meta's Llama Framework, Exposing AI Systems to Potential Remote Code Execution