CVE-2025-23006
Published: 23 January 2025
Description
Pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), which in specific conditions could potentially enable a remote unauthenticated attacker to execute arbitrary OS commands.
Security Summary
CVE-2025-23006 is a pre-authentication deserialization of untrusted data vulnerability (CWE-502) identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC). Published on 2025-01-23, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impacts across confidentiality, integrity, and availability.
The vulnerability can be exploited by a remote unauthenticated attacker who, under specific conditions, could execute arbitrary operating system commands on affected systems. This requires network access with low complexity and no privileges or user interaction, enabling full compromise without authentication.
Mitigation guidance is available in the SonicWall PSIRT advisory (SNWLID-2025-0002) at https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0002. The vulnerability is also listed in the CISA Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-23006, signaling real-world exploitation.
Details
- CWE(s)
- KEV Date Added
- 24 January 2025