Cyber Resilience

CVE-2025-23006

CriticalCISA KEVActive ExploitationEUVD ExploitedRansomware-linkedRCE

Published: 23 January 2025

Published
23 January 2025
Modified
31 October 2025
KEV Added
24 January 2025
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.5007 97.9th percentile
Risk Priority 70 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23006 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Sonicwall Sma8200V. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-23006 is a pre-authentication deserialization of untrusted data vulnerability, tracked under CWE-502, that affects the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC). The flaw carries a CVSS 3.1 score of 9.8 and can, under specific conditions, permit remote execution of arbitrary operating system commands.

A remote unauthenticated attacker can exploit the issue over the network with low attack complexity and no user interaction, resulting in full compromise of confidentiality, integrity, and availability on the affected appliance.

The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, and SonicWall has published an advisory at https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0002 that addresses mitigation steps and available patches.

EPSS for the CVE rose from a low baseline to a peak of 0.6388 (current value 0.5007), indicating that exploitation interest increased after public disclosure and that the issue merits renewed attention.

EU & UK References

Vulnerability details

Pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), which in specific conditions could potentially enable a remote unauthenticated attacker to execute arbitrary OS commands.

CWE(s)
KEV Date Added
24 January 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

The CVE describes a pre-auth RCE via deserialization in a public-facing management console, directly enabling T1190 (Exploit Public-Facing Application) for initial access and T1059 (Command and Scripting Interpreter) for arbitrary OS command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-40602Same product: Sonicwall Sma6200both on KEV
CVE-2024-53704Same vendor: Sonicwallboth on KEV
CVE-2026-4116Same product: Sonicwall Sma6200
CVE-2026-4113Same product: Sonicwall Sma6200
CVE-2025-59287Shared CWE-502both on KEV
CVE-2026-20963Shared CWE-502both on KEV
CVE-2025-55182Shared CWE-502both on KEV
CVE-2026-45247Shared CWE-502both on KEV
CVE-2025-0994Shared CWE-502both on KEV
CVE-2025-26399Shared CWE-502both on KEV

Affected Assets

sonicwall
sma8200v
≤ 12.4.3-02854
sonicwall
sma6200 firmware
≤ 12.4.3-02854
sonicwall
sma6210 firmware
≤ 12.4.3-02854
sonicwall
sma7200 firmware
≤ 12.4.3-02854
sonicwall
sma7210 firmware
≤ 12.4.3-02854
sonicwall
sra ex6000 firmware
≤ 12.4.3-02804
sonicwall
sra ex7000 firmware
≤ 12.4.3-02804
sonicwall
sra ex9000 firmware
≤ 12.4.3-02804

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation requires timely patching of the SMA1000 AMC and CMC to directly eliminate the pre-authentication deserialization vulnerability and prevent arbitrary OS command execution.

prevent

Information input validation mandates checking the validity of untrusted serialized data prior to deserialization, comprehensively addressing CWE-502 exploitation in the management consoles.

detect

Vulnerability monitoring and scanning identifies CVE-2025-23006 in affected SonicWall appliances, enabling prioritization for remediation.

References