- Microsoft found one day zero in a remote access device Sonicwall
- It would have already been exploited in nature
- The pirates used it to execute code from a distance
The pirates abuse one day zero in a sonicwall product to enter corporate networks and deploy malware, experts warned.
In a security notice, Sonicwall has urged its users to apply the fix or deploy a bypass solution as soon as possible.
Vulnerability is followed as CVE-2025-23006. The National Vulnerability Database (NVD) gave it a gravity score of 9.6 / 10 – Critique. It was discovered by Microsoft in the SMA 1000 (AMC) devices management console and the central management console (CMC), tools designed to manage and control the safety devices of the Sonicwall network, in particular in environments where a Secure remote access and centralized management are priorities.
Thousands of vulnerable devices
The bug has been described as a “pre-authentication of unreliable data”, and says that it can, under specific conditions, allow a distant non-authentic attacker to execute arbitrary operating system orders.
“Sonicwall PSIRT has been informed of a possible active exploitation of the vulnerability referenced by threat actors,” said the opinion. “We strongly recommend SMA1000 product users to go to the Hotfix version version to approach vulnerability.”
Sonicwall and Microsoft do not say who are the attackers, who were the victims, nor how many there were.
Citing the results of the Shodan search engine, BleepingCompute said that there were “several thousand” SMA 1000 devices on the Internet, referring to a potentially wide attack landscape for threat actors. In recent times, threat actors have been increasingly focused on on -board devices, because they are not monitored with diligence and allow them to enter the target infrastructure and move laterally, while remaining some not very hidden.
Sonicwall added that the SMA 100 series and products are not affected by vulnerability.
In the opinion, the company also added that to minimize the potential impact of the fault, users must ensure that they restrict access to the sources of trust for the management console (AMC) and the Central management console (CMC).
Via Techcrunch
