Security appliance: Attackers hijack SonicWall devices with system commands
The vulnerability is already being used by malicious users, according to the manufacturer. Anyone using the affected appliance should patch it.
There is a serious gap in SonicWall appliances of the SMA1000 type.
(Image: rstellt mit KI in Bing Designer durch heise online / dmk)
There is a serious security vulnerability in the management consoles of the SonicWall appliance SMA1000. Via an insecure deserialization (CVE-2025-23006, critical rating, CVSS value 9.8/10), attackers can remotely inject system commands under certain conditions, which the device then executes.
As the manufacturer explains in a security notice, only the SMA1000 appliance is affected; the "SonicWall Firewall" and SMA 100 product series are not affected by the vulnerability.
Anyone using product version 12.4.3-02804 or older is vulnerable and should update their devices to the repaired version 12.4.3-02854 as soon as possible. SonicWall also advises its customers to restrict access to the Application Management Console (AMC) and Central Management Console (CMC) to trusted networks.
Active attacks on the vulnerability
The tip-off about the code-smuggling bug apparently came from Microsoft's Threat Intelligence Center (MSTIC). The hint that attackers are already actively exploiting the vulnerability presumably also came from Redmond, but is also likely to be passed through the channels of the US cyber security authority CISA in the near future.
Videos by heise
This vulnerability is already the third critical error in a security appliance since the beginning of the year. Previously, Ivanti and FortiNet had already had to deal with dangerous problems on their appliances. The latter also made the headlines because unknown persons gave away thousands of older VPN configurations and access data from FortiNet devices on the darknet.
(cku)
