Cybersecurity company SonicWall says hackers are exploiting a newly discovered vulnerability in one of its enterprise products to break into its customers’ corporate networks. 

SonicWall said in an advisory that the vulnerability in its SMA1000 remote access appliance, which companies use to allow their employees to remotely log in to their corporate networks as if they were in the office, allows anyone over the internet to plant malware on affected devices without needing a login for the system.

The vulnerability, tracked as CVE-2025-23006, was discovered by Microsoft and shared with SonicWall last week. In a subsequent support post, SonicWall said the vulnerability is “confirmed as being actively exploited in the wild,” indicating that some of SonicWall’s corporate customers had been hacked. The bug is known as a zero day because it was exploited before SonicWall had time to provide customers with a fix.

When contacted by TechCrunch, neither SonicWall nor Microsoft said how many companies had their networks compromised in the attacks, but urged customers to patch affected systems by installing the security hotfix that SonicWall has since released.

Several thousand SMA 1000 appliances are exposed to the internet, according to a Shodan search result shared by Bleeping Computer, putting many of those companies with unpatched systems at greater risk of attacks.

Malicious hackers are increasingly targeting corporate cybersecurity products, such as firewalls, remote access tools, and VPN products. These devices exist on the perimeter of corporate networks to protect against would-be intruders and unauthorized access. But they also have a propensity to contain software bugs that can render their security protections ineffective, allowing hackers to compromise the very networks that these devices were tasked with protecting.

In recent years, some of the biggest makers of corporate cybersecurity products, including Barracuda, Check Point, Cisco, Citrix, Fortinet, Ivanti, and Palo Alto Networks, have disclosed zero-day attacks targeting their customers, which have resulted in broader network compromises. 

According to U.S. cybersecurity agency CISA, the top most routinely exploited vulnerabilities during 2023 were found in enterprise products developed by Citrix, Cisco, and Fortinet, and used by hackers to conduct operations against “high-priority targets.”