2025-1-23 17:54:0 Author: www.tenable.com(查看原文) 阅读量:35 收藏
January 23, 2025
3 Min Read
A zero-day vulnerability in SonicWall’s Secure Mobile Access (SMA) 1000 was reportedly exploited in the wild according to researchers.
Background
On January 22, SonicWall published a security advisory (SNWLID-2025-0002) for a newly disclosed vulnerability in its Secure Mobile Access (SMA) 1000 product, a remote access solution.
| CVE | Description | CVSSv3 |
|---|---|---|
| CVE-2025-23006 | SonicWall SMA 1000 Deserialization of Untrusted Data Vulnerability | 9.8 |
Analysis
CVE-2025-23006 is a deserialization of untrusted data vulnerability in the appliance management console (AMC) and central management console (CMC) of the SonicWall SMA 1000. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to a vulnerable device. Successful exploitation would grant the attacker arbitrary command execution on the device. The advisory specifies that “specific conditions” could allow for OS command execution, though it’s unclear from the information provided by SonicWall what those conditions might be.
Possible active exploitation in the wild
According to SonicWall’s Product Security Incident Response Team (PSIRT), there are reports of “possible active exploitation” of this flaw “by threat actors.” While specific details are not known at this time, the vulnerability was reported to SonicWall by researchers at Microsoft Threat Intelligence Center (MSTIC).
Historical exploitation of SonicWall SMA vulnerabilities
SonicWall products have been a frequent target for attackers over the years. Specifically, the SMA product line has been targeted in the past by ransomware groups, as well as being featured in the Top Routinely Exploited Vulnerabilities list co-authored by multiple United States and International Agencies. The following are a list of known SMA vulnerabilities that have been exploited in the wild:
| CVE | Description | Tenable Blog Links | Year |
|---|---|---|---|
| CVE-2019-7481 | SonicWall SMA100 SQL Injection Vulnerability | 1 | 2019 |
| CVE-2019-7483 | SonicWall SMA100 Directory Traversal Vulnerability | - | 2019 |
| CVE-2021-20016 | SonicWall SSLVPN SMA100 SQL Injection Vulnerability | 1, 2, 3, 4, 5 | 2021 |
| CVE-2021-20038 | SonicWall SMA100 Stack-based Buffer Overflow Vulnerability | 1, 2, 3 | 2021 |
Proof of concept
At the time this blog was published, no proof-of-concept (PoC) code had been published for CVE-2025-23006. If and when a public PoC exploit becomes available for CVE-2025-23006, we anticipate a variety of attackers will attempt to leverage this flaw as part of their attacks.
Solution
SonicWall has released version 12.4.3-02854 to address this vulnerability, which impacts version 12.4.3-02804 and earlier. According to SonicWall, SMA 100 series and SonicWall Firewall devices are not impacted.
The advisory also provides a workaround to reduce potential impact. This involves restricting access to the AMC and CMC to trusted sources. The advisory also notes to review the best practices guide on securing SonicWall appliances.
Identifying affected systems
A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2025-23006 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.
Get more information
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Scott Caveza
Scott joined Tenable in 2012 as a Research Engineer on the Nessus Plugins team. Over the years, he has written hundreds of plugins for Nessus, and reviewed code for even more from his time being a team lead and manager of the Plugins team. Previously leading the Security Response team and the Zero Day Research team, Scott is currently a member of the Security Response team, helping the research organization respond to the latest threats. He has over a decade of experience in the industry with previous work in the Security Operations Center (SOC) for a major domain registrar and web hosting provider. Scott is a current CISSP and actively maintains his GIAC GWAPT Web Application Penetration Tester certification.
Interests outside of work: Scott enjoys spending time with his family, camping, fishing and being outdoors. He also enjoys finding ways to break web applications and home renovation projects.
Satnam Narang
Satnam joined Tenable in 2018. He has over 15 years experience in the industry (M86 Security and Symantec). He contributed to the Anti-Phishing Working Group, helped develop a Social Networking Guide for the National Cyber Security Alliance, uncovered a huge spam botnet on Twitter and was the first to report on spam bots on Tinder. He's appeared on NBC Nightly News, Entertainment Tonight, Bloomberg West, and the Why Oh Why podcast.
Interests outside of work: Satnam writes poetry and makes hip-hop music. He enjoys live music, spending time with his three nieces, football and basketball, Bollywood movies and music and Grogu (Baby Yoda).
- Exposure Management
- Vulnerability Management
Cybersecurity news you can use
Enter your email and never miss timely alerts and security guidance from the experts at Tenable.
Try Tenable Web App Scanning
Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.
Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.
Buy Tenable Web App Scanning
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
如有侵权请联系:admin#unsafe.sh