SonicWall on Wednesday credited Microsoft for reporting a critical remote command execution vulnerability that may have been exploited in the wild.

The zero-day, tracked as CVE-2025-23006, has been described by SonicWall as an untrusted data deserialization issue that impacts its Secure Mobile Access (SMA) 1000 series products, specifically the Appliance Management Console (AMC) and Central Management Console (CMC) administration tools.

A remote, unauthenticated attacker can exploit the vulnerability — under specific conditions — to execute arbitrary OS commands. 

“SonicWall PSIRT has been notified of possible active exploitation of the referenced vulnerability by threat actors,” the vendor highlighted in its advisory. 

The vulnerability affects version 12.4.3-02804 (platform-hotfix) and earlier, and it has been fixed with the release of version 12.4.3-02854 (platform-hotfix), which SMA1000 customers are strongly urged to install as soon as possible. 

The vendor pointed out that Firewall and SMA 100 series products are not impacted.

The Microsoft Threat Intelligence Center (MSTIC) has been credited for reporting the vulnerability to SonicWall, but the tech giant’s threat intel unit does not appear to have published any information on the attacks that could involve exploitation of CVE-2025-23006.

SecurityWeek has reached out to Microsoft and will update this article if the company shares any information. 

It’s not uncommon for threat actors to exploit SonicWall product vulnerabilities in their attacks. 

The Known Exploited Vulnerabilities (KEV) catalog maintained by the cybersecurity agency CISA currently contains 10 SonicWall flaws, and the list does not include CVE-2025-23006.  

Related: New VPN Attack Demonstrated Against Palo Alto Networks, SonicWall Products

Related: SonicWall Patches Authentication Bypass Vulnerabilities in Firewalls

Related: SonicWall Patches 6 Vulnerabilities in Secure Access Gateway