More than 2,000 SonicWall devices vulnerable to critical zero-day

A vulnerability affecting a popular line of VPN appliances from SonicWall is causing alarm following reports that hackers are using it in attacks. 

The cybersecurity company published an advisory on Wednesday warning  the vulnerability impacts its Secure Mobile Access (SMA) 1000 Series product, which many companies use to provide employees with VPN access to corporate networks. 

“[The SonicWall security team] has been notified of possible active exploitation of the referenced vulnerability by threat actors,” the company said, noting that it was given a 9.8 severity rating out of 10. “We strongly advise users of the SMA1000 product to upgrade to the hotfix release version to address the vulnerability.”

A Shodan search shows that 2,300 SonicWall devices are exposed to the internet and may be vulnerable to the bug — tracked as CVE-2025-23006 — with most in the U.S., Germany and Hong Kong. 

A map showing instances of exposed Secure Mobile Access 1000 Series products. Credit: Shodan

On Friday, the Cybersecurity and Infrastructure Security Agency released its own warning that the bug is being exploited, giving civilian agencies until February 14 to patch it. 

Microsoft’s security team, which discovered the vulnerability and reported it to SonicWall, said on Friday that it is imperative for users to download the update and patch the bug. 

These types of devices — appliances that serve as gateways for secure remote access — are an attractive target for attackers, said Boris Cipot of the cybersecurity company Black Duck. 

Scott Caveza, staff research engineer at Tenable, noted that SonicWall devices have been targeted frequently in the past, with several bugs being featured on the CISA’s list of exploited bugs. 

“Specifically, the SMA product line has been targeted in the past by ransomware groups, as well as being featured in the Top Routinely Exploited Vulnerabilities list co-authored by multiple United States and International Agencies,” he said. 

Germany’s cybersecurity agency released its own warning about the vulnerability on Thursday. 

Correction: A previous version of this article incorrectly attributed details about the number of exposed SonicWall devices to Censys. The numbers are from Shodan.