Network Firewalls, Network Access Control
,
Security Operations
Preauthentication Deserialization Flaw Could Result in Remote Code Execution

Software vendors and national cybersecurity agencies are urging immediate patching of a critical SonicWall flaw days after the security device manufacturer disclosed that hackers are actively exploiting a zero-day.
See Also: Cloud Security and the Evolving Role of the Firewall
Microsoft, which uncovered the flaw, tracked as CVE-2025-23006, said Friday it warned SonicWall that threat actors with access to the internal interface could achieve remote code execution.
The flaw doesn’t require user authentication, and SonicWall warned customers that appliances with vulnerable versions of firmware that have administrative access exposed to the internet “are especially at risk of exploitation.”
Cybersecurity devices deployed on the network edge are increasingly targeted by attackers to gain access to enterprise environments. A wave of incidents that began accumulating strength in 2023 has taken advantage of sloppy manufacturing and supply chain practices as well as administrative interfaces exposed to the internet when they shouldn’t be (see: Surge in Attacks Against Edge and Infrastructure Devices).
SonicWall said Thursday the appliance management and central management consoles of its enterprise-grade Secure Mobile Access 1000 line of products will deserialize untrusted data.
More than 2,000 SonicWall Secure Mobile Access appliances are exposed to the internet, with the majority of the appliances located in the U.S., followed by Germany and the U.K.
The U.S. Cybersecurity and Infrastructure Security Agency on Friday added the vulnerability to its Known Exploited Vulnerabilities Catalog.
The German and Irish cyber agencies strongly recommended users apply a patch. Security firm Tenable wrote that hackers are likely to exploit the flaw more vigorously once the proof of concept for the vulnerability is available.