Pierluigi Paganini
January 24, 2025
SonicWall is warning customers of a critical security vulnerability, tracked as CVE-2025-23006 (CVSS score of 9,8) impacting its Secure Mobile Access (SMA) 1000 Series appliances. The vulnerability is a Pre-authentication deserialization of untrusted data issue in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC) that has been likely exploited in attacks in the wild as a zero-day.
“Pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), which in specific conditions could potentially enable a remote unauthenticated attacker to execute arbitrary OS commands.” reads the advisory. “IMPORTANT: “SonicWall PSIRT has been notified of possible active exploitation of the referenced vulnerability by threat actors. We strongly advises users of the SMA1000 product to upgrade to the hotfix release version to address the vulnerability.”
The flaw impacts version 12.4.3-02804 (platform-hotfix) and earlier versions, SonicWall urges customers to address the vulnerability as soon as possible.
The company released Version 12.4.3-02854 which addresses the flaw.
Microsoft Threat Intelligence Center (MSTIC) discovered the vulnerability.
SonicWall has not disclosed details about the attacks that exploited the flaw as a zero-day, nor the attackers’ motivations
Experts also recommend restricting AMC and CMC access to trusted sources and following the SMA1000 Administration Guide’s best practices to reduce the vulnerability’s impact.
“To minimize the potential impact of the vulnerability, please ensure that you restrict access to trusted sources for the Appliance Management Console (AMC) and Central Management Console (CMC). Refer to the SMA1000 Administration Guide, section – Best Practices for Securing the Appliance.” concludes the advisory.
In March 2023, Mandiant researchers reported that alleged China-linked threat actors, tracked as UNC4540, deployed custom malware on a SonicWall SMA appliance. The malware allows attackers to steal user credentials, achieve persistence through firmware upgrades, and provides shell access.
The analysis of a compromised device revealed the presence of a set of files used by the attacker to gain highly privileged and available access to the appliance. The malicious code is composed of a series of bash scripts and a single ELF binary identified as a TinyShell variant.
The researchers believe that the threat actors deeply understand the appliance.
The malware was well tailored to the system to provide stability and maintain persistence, even in the case of installation of firmware upgrades.
“The primary purpose of the malware appears to be to steal hashed credentials from all logged in users. It does this in firewalld by routinely executing the SQL command select userName,password from Sessions against sqlite3 database /tmp/temp.db and copying them out to the attacker created text file /tmp/syslog.db.” reads the report published by Mandiant. “The source database /tmp/temp.db is used by the appliance to track session information, including hashed credentials. Once retrieved by the attacker the hashes could be cracked offline.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, SonicWall SMA1000)
