A significant authentication circumvention weakness in SonicWall firewalls, identified as CVE-2024-53704, is currently being actively utilized in the wild, as warned by cybersecurity firms.
The spike in assaults comes after the public exposure of a proof-of-concept (PoC) exploit script on February 10, 2025, by experts at Bishop Fox, heightening dangers for establishments with unpatched equipment.
CVE-2024-53704, with a CVSS rating of 9.3, is present in the SSL VPN authentication mechanism of SonicOS, the operating system controlling SonicWall’s Gen 6, Gen 7, and TZ80 firewalls.
By dispatching a crafted session cookie containing a base64-encoded null byte sequence to the /cgi-bin/sslvpnclient endpoint, assailants can remotely seize control of active VPN sessions.
A successful exploitation circumvents multi-factor authentication (MFA), exposes private network paths, and permits unauthorized entry to internal resources. Compromised sessions also empower threat actors to disconnect legitimate user connections.
SonicWall initially unveiled the flaw on January 7, 2025, advising immediate patching. At that time, the supplier reported no signs of real-world exploitation.
Exploitation of CVE-2024-53704 in the Wild
Nevertheless, the PoC publication by Bishop Fox on February 10 has made the attack easier for opportunists. By February 12, Arctic Wolf had spotted attempts at exploitation stemming from less than ten distinct IP addresses, mainly hosted on virtual private servers (VPS).
Safeguard analysts ascribe the rapid utilization to the vulnerability’s significant impact and the historical focus on SonicWall devices by ransomware factions such as Akira and Fog.
As of February 7, according to Bishop Fox, more than 4,500 publicly-accessible SonicWall SSL VPN servers remained unpatched. Affected firmware versions encompass:
- SonicOS 7.1.x (up to 7.1.1-7058)
- SonicOS 7.1.2-7019
- SonicOS 8.0.0-8035
Updates like SonicOS 8.0.0-8037 and 7.1.3-7015 were rolled out in January 2025.
The exploitation trend mirrors past undertakings. Akira ransomware affiliates, in late 2024, exploited compromised SonicWall VPN accounts to infiltrate networks, regularly encrypting data within hours of initial infiltration.
Arctic Wolf cautions that CVE-2024-53704 could likewise function as an entryway for ransomware deployment, credentials theft, or espionage.
SonicWall and cybersecurity authorities highlight prompt action:
- Update firmware to rectified versions (e.g., 8.0.0-8037 or 7.1.3-7015).
- Deactivate SSL VPN on public interfaces if immediate updates are not viable.
- Constrain VPN access to dependable IP ranges and mandate MFA for remaining users.
Given the ongoing exploitation, institutions must prioritize updates to lower risks. The convergence of public PoC script, high attack feasibleness, and SonicWall’s prevalence in corporate networks accentuates the urgency.
As noted by Arctic Wolf, delays risk “catastrophic network compromise” considering the severity of the vulnerability and the nimbleness of ransomware perpetrators.
The article SonicWall Firewall Authentication Bypass Vulnerability Exploited in Wild Following PoC Release was originally posted on Cyber Security News.