A zero day in SonicWall VPN appliances is being exploited in the wild, the security vendor has confirmed – capping a horrendous month for network security after zero day exploitation of Ivanti and Fortinet devices.
The SonicWall zero day, allocated CVE-2025-23006 was reported by Microsoft Threat Intelligence. It is exploitable by a remote and unauthenticated attacker. The vulnerability affects a product line for enterprise customers that can scale up to a million remote VPN users.
It has a CVSS 9.8 rating and affects SonicWall’s SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC).
SonicWall has a hotfix: Version 12.4.3-02854 and higher versions.
SonicWall zero day CVE-2025-23006: 200+ exposed
Shodan searches suggest that there are some 2,494 devices online, with 215 exposing management interfaces affected by the vulnerability.
SonicWall describes its SMA 1000 series as “designed as an advanced secure access gateway for medium enterprises, multi-national corporations and managed security service providers (MSSPs.)”
It is “preparing additional information for customers to verify the integrity of their appliances” it added in its January 24 security advisory.
