CVE-2025-23006: SonicWall SMA 1000 — Pre-Auth Deserialization RCE

Background

SonicWall’s Secure Mobile Access (SMA) 1000 series are SSL-VPN and remote access appliances used by enterprises to provide secure remote access to internal resources. Like similar products from Ivanti, Fortinet, and Citrix, they’re internet-facing by design and high-value targets — compromise them and you’re inside the network.

CVE-2025-23006 was disclosed in January 2025 and confirmed as being exploited in the wild at the time of disclosure. SonicWall’s advisory explicitly stated “there are indications that this may be being exploited in the wild.” CISA immediately added it to the KEV catalogue. Rapid7 provided technical analysis confirming the pre-auth nature of the vulnerability.

Technical Mechanism

The SMA 1000 series appliances run a Java-based management interface. The vulnerability is in the Appliance Management Console (AMC) and the Central Management Console (CMC) — administrative interfaces that are sometimes exposed to the internet for centralised management.

The specific vulnerability is in how the application deserialises Java objects from HTTP requests. Java deserialization vulnerabilities follow the same pattern as .NET deserialization:

1. The application receives an HTTP request containing a serialised Java object (typically as a POST body)
2. The application deserialises the object without proper type checking
3. An attacker provides a crafted “gadget chain” — a sequence of Java objects that, when deserialised, invoke arbitrary methods
4. Using gadget chains from tools like ysoserial (leveraging commons-collections, spring-core, or other popular libraries with known gadgets), the attacker executes OS commands

The critical aspect: this endpoint is accessible without authentication. No credentials, no session token, no prior access needed.

Post-exploit, the attacker achieves code execution as the appliance’s application user (typically with high privileges on the SonicWall device).

Real-World Exploitation Evidence

SonicWall’s January 2025 advisory and subsequent CISA KEV listing confirmed active exploitation. Key points:

• Zero-day or near-zero-day — SonicWall disclosed while exploitation was already occurring
• Sophisticated actor activity — the targeting of SMA appliances (rather than random internet scanning) suggests targeted, prepared threat actor activity
• SonicWall history — this is not the first time SonicWall SMA products have been targeted; CVE-2021-20016 (another SMA RCE) was previously exploited by ransomware actors
• Initial access pattern — SMA VPN appliances are commonly targeted by ransomware affiliates and nation-state actors for initial network access

The February 2025 Rapid7 analysis confirmed the pre-auth deserialization nature and noted that the AMC/CMC interfaces, while sometimes restricted, were accessible from the internet at many deployments.

Impact Assessment

• Full appliance compromise — root or equivalent access on the SMA device
• VPN session access — all active VPN sessions may be readable; user credentials accessible
• Network access — the compromised appliance provides a foothold into the protected internal network
• Persistent backdoor — custom implants or modified configurations survive restarts
• Certificate and key theft — SSL certificates and private keys configured on the appliance are exposed
• Ransomware staging — SMA compromise has historically led to ransomware deployment within days

Affected Versions

Note: SMA 100 series (200, 210, 400, 410, 500v) are not affected — this is specific to SMA 1000 series.

Remediation Steps

1. Update SMA 1000 firmware to version 12.4.3-02854 or later immediately
2. If patching cannot be done immediately:
   • Restrict AMC/CMC access to trusted management IPs only
   • Ensure the AMC/CMC is not exposed to the internet
3. Review SMA appliance logs for unusual requests to AMC/CMC endpoints
4. Check for signs of compromise:
   • New user accounts on the appliance
   • Modified VPN policies
   • Unusual scheduled tasks or scripts
5. Rotate all VPN user credentials as a precaution if the appliance was internet-accessible
6. If compromise is suspected, SonicWall recommends re-imaging the appliance from known-good firmware

Detection Guidance

SMA 1000 access logs — look for:

• POST requests to AMC/CMC endpoints from external IPs
• Requests with large base64-encoded bodies (Java serialized objects are base64-encoded in HTTP contexts)
• HTTP 500 errors followed by successful requests (probing/exploitation pattern)

Network monitoring — watch for unexpected outbound connections from the SMA appliance to external IPs.

Suricata signature:

alert http any any -> $HTTP_SERVERS any (msg:"SonicWall SMA CVE-2025-23006 Java Deserialization Attempt"; flow:established,to_server; http.uri; content:"/appliance/"; http.request_body; content:"rO0AB"; classtype:web-application-attack; sid:2034023; rev:1;)

Note: rO0AB is the base64 prefix for Java serialized objects (\xAC\xED\x00\x05).

IOCs:

• POST requests containing Java serialization magic bytes to AMC/CMC endpoints
• Unexpected processes on SMA appliance (varies by firmware; requires CLI access to check)

Timeline