536/68 Friday, December 19, 2025
SonicWall has issued a security advisory urging customers to immediately apply security patches for SMA1000 (Appliance Management Console) devices after Google Threat Intelligence reported active zero-day exploitation involving two vulnerabilities. The attack chain begins with a critical pre-authentication deserialization vulnerability, CVE-2025-23006, which allows remote compromise without authentication, followed by CVE-2025-40602, a local privilege escalation flaw that enables attackers to gain the highest system privileges. When exploited together, these vulnerabilities allow attackers to execute operating system commands and fully take control of affected devices.
The SMA1000 platform is widely used to provide enterprise VPN and remote access services, making it a critical component for businesses, government agencies, and critical infrastructure organizations. Because these vulnerabilities are actively exploited in the wild, the risk level is considered severe. According to Shadowserver, more than 950 SMA1000 devices worldwide remain exposed to the internet and are potentially vulnerable to exploitation.
To mitigate the risk, administrators are strongly advised to upgrade to the latest firmware versions immediately. SonicWall noted that a patch for CVE-2025-23006 has been available since January in Build 12.4.3-02854, but additional updates are required to fully remediate the privilege escalation vulnerability CVE-2025-40602. Failure to apply all required patches may allow attackers to seize control of the appliance and pivot into internal organizational networks.
