A zero-day vulnerability has been discovered in SonicWall Secure Mobile Access (SMA) 1000 Series appliances, which is currently being exploited by attackers. The vulnerability affects the Appliance Management Console (AMC) and Central Management Console (CMC) of the SMA 1000 series, potentially allowing remote, unauthenticated attackers to execute arbitrary OS commands on affected devices.
SonicWall SMA appliances are widely used by enterprises to provide secure access to applications and resources for remote employees. The vulnerable SMA 1000 series is specifically designed for large distributed organizations with thousands of employees. The flaw (CVE-2025-23006), described as a deserialization of untrusted data issue, could allow an attacker to trigger the execution of arbitrary OS commands if certain conditions are met.
The vulnerability is present in version 12.4.3-02804 (platform-hotfix) and earlier versions of the SMA 1000 appliances. SonicWall has released a patch in version 12.4.3-02854 (platform-hotfix) and higher versions to address the issue and mitigate potential attacks. The specifics of how the vulnerability is being actively exploited remain scarce.
Organizations using affected versions of SonicWall SMA 1000 appliances are strongly urged to update their systems to the patched versions to avoid potential compromise.
In addition to the SonicWall SMA 1000 Series vulnerability, Cisco has also disclosed several vulnerabilities, a privilege escalation vulnerability (CVE-2025-20156) and a heap-based buffer overflow flaw (CVE-2025-20128) in Cisco Meeting Management. The latter flaw, when exploited, could terminate the ClamAV scanning process on endpoints running the Cisco Secure Endpoint Connector. Cisco has confirmed that proof-of-concept (PoC) exploit code for CVE-2025-20128 is already available, but there is currently no evidence that it is being actively exploited.