CVE-2025-23006

CriticalCISA KEVActive ExploitationRansomware-linkedRCE

Published: 23 January 2025

Published

23 January 2025

Modified

31 October 2025

KEV Added

24 January 2025

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.5657 98.1th percentile

Risk Priority 74 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23006 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Sonicwall Sma8200V. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Flaw remediation requires timely patching of the SMA1000 AMC and CMC to directly eliminate the pre-authentication deserialization vulnerability and prevent arbitrary OS command execution.

SI-10 Information Input Validation good match

prevent

Information input validation mandates checking the validity of untrusted serialized data prior to deserialization, comprehensively addressing CWE-502 exploitation in the management consoles.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Vulnerability monitoring and scanning identifies CVE-2025-23006 in affected SonicWall appliances, enabling prioritization for remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

The CVE describes a pre-auth RCE via deserialization in a public-facing management console, directly enabling T1190 (Exploit Public-Facing Application) for initial access and T1059 (Command and Scripting Interpreter) for arbitrary OS command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), which in specific conditions could potentially enable a remote unauthenticated attacker to execute arbitrary OS commands.

Deeper analysisAI

CVE-2025-23006 is a pre-authentication deserialization of untrusted data vulnerability (CWE-502) identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC). Published on 2025-01-23, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impacts across confidentiality, integrity, and availability.

The vulnerability can be exploited by a remote unauthenticated attacker who, under specific conditions, could execute arbitrary operating system commands on affected systems. This requires network access with low complexity and no privileges or user interaction, enabling full compromise without authentication.

Mitigation guidance is available in the SonicWall PSIRT advisory (SNWLID-2025-0002) at https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0002. The vulnerability is also listed in the CISA Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-23006, signaling real-world exploitation.

Details

CWE(s): CWE-502
KEV Date Added: 24 January 2025

Affected Products

sonicwall

sma8200v

≤ 12.4.3-02854

sonicwall

sma6200 firmware

≤ 12.4.3-02854

sonicwall

sma6210 firmware

≤ 12.4.3-02854

sonicwall

sma7200 firmware

≤ 12.4.3-02854

sonicwall

sma7210 firmware

≤ 12.4.3-02854

sonicwall

sra ex6000 firmware

≤ 12.4.3-02804

sonicwall

sra ex7000 firmware

≤ 12.4.3-02804

sonicwall

sra ex9000 firmware

≤ 12.4.3-02804

CVEs Like This One

CVE-2025-40602Same product: Sonicwall Sma6200both on KEV

CVE-2024-53704Same vendor: Sonicwallboth on KEV

CVE-2025-59287Shared CWE-502both on KEV

CVE-2025-10035Shared CWE-502both on KEV

CVE-2025-55182Shared CWE-502both on KEV

CVE-2025-53770Shared CWE-502both on KEV

CVE-2025-26399Shared CWE-502both on KEV

CVE-2025-0994Shared CWE-502both on KEV

CVE-2025-40551Shared CWE-502both on KEV

CVE-2026-20963Shared CWE-502both on KEV

References

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0002
Vendor Advisory · PSIRT@sonicwall.com
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-23006
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0