CVE-2025-23006

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-23006
Pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), which in specific conditions could potentially enable a remote unauthenticated attacker to execute arbitrary OS commands.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0002 Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:sonicwall:sma8200v:*:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:sonicwall:sma6200_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:sonicwall:sma6200:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:sonicwall:sma6210_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:sonicwall:sma6210:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:sonicwall:sma7200_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:sonicwall:sma7200:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:sonicwall:sma7210_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:sonicwall:sma7210:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:sonicwall:sra_ex6000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:sonicwall:sra_ex6000:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:sonicwall:sra_ex7000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:sonicwall:sra_ex7000:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:sonicwall:sra_ex9000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:sonicwall:sra_ex9000:-:*:*:*:*:*:*:*
History

27 Jan 2025, 18:41

Type Values Removed Values Added
CPE cpe:2.3:h:sonicwall:sra_ex6000:-:*:*:*:*:*:*:*
cpe:2.3:a:sonicwall:sma8200v:*:*:*:*:*:*:*:*
cpe:2.3:o:sonicwall:sma6200_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:sonicwall:sra_ex7000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:sonicwall:sma6210:-:*:*:*:*:*:*:*
cpe:2.3:o:sonicwall:sma7210_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:sonicwall:sma6200:-:*:*:*:*:*:*:*
cpe:2.3:o:sonicwall:sra_ex9000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:sonicwall:sra_ex9000:-:*:*:*:*:*:*:*
cpe:2.3:o:sonicwall:sra_ex6000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:sonicwall:sma7210:-:*:*:*:*:*:*:*
cpe:2.3:h:sonicwall:sra_ex7000:-:*:*:*:*:*:*:*
cpe:2.3:h:sonicwall:sma7200:-:*:*:*:*:*:*:*
cpe:2.3:o:sonicwall:sma6210_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:sonicwall:sma7200_firmware:*:*:*:*:*:*:*:*
References () https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0002 - () https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0002 - Vendor Advisory
First Time Sonicwall sma6210 Firmware
Sonicwall sma6200 Firmware
Sonicwall sma7200 Firmware
Sonicwall sma6200
Sonicwall sra Ex6000 Firmware
Sonicwall sra Ex7000
Sonicwall sma8200v
Sonicwall sra Ex7000 Firmware
Sonicwall
Sonicwall sma7210 Firmware
Sonicwall sra Ex9000
Sonicwall sma7210
Sonicwall sma7200
Sonicwall sra Ex9000 Firmware
Sonicwall sra Ex6000
Sonicwall sma6210

23 Jan 2025, 15:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8
Summary
  • (es) Se ha identificado una vulnerabilidad de deserialización de datos no confiables antes de la autenticación en SMA1000 Appliance Management Console (AMC) y Central Management Console (CMC), que en condiciones específicas podría permitir que un atacante remoto no autenticado ejecute comandos arbitrarios del sistema operativo.

23 Jan 2025, 12:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-01-23 12:15

Updated : 2025-04-02 20:32

NVD link : CVE-2025-23006

Mitre link : CVE-2025-23006

CVE.ORG link : CVE-2025-23006

JSON object : View

Products Affected

sonicwall

  • sma6200
  • sra_ex9000_firmware
  • sma6200_firmware
  • sra_ex6000_firmware
  • sra_ex6000
  • sma6210_firmware
  • sma7200_firmware
  • sma7210
  • sma8200v
  • sra_ex7000_firmware
  • sra_ex7000
  • sma6210
  • sma7200
  • sma7210_firmware
  • sra_ex9000
CWE
CWE-502

Deserialization of Untrusted Data