SonicWall Firewall Bug Leveraged in Attacks After PoC Exploit Release
Summary:
On January 7, 2024, SonicWall released security updates to address an improper authentication vulnerability in the SSLVPN authentication mechanism, which could allow remote attackers to hijack active SSL VPN sessions without authentication. Tracked as CVE-2024-53704, this flaw affects SonicOS versions 7.1.x (up to 7.1.1-7058), 7.1.2-7019, and 8.0.0-8035, impacting multiple models of Gen 6 and Gen 7 firewalls, as well as SOHO series devices. At the time of the disclosure, SonicWall warned that exploitation of CVE-2024-53704 was imminent and strongly advised customers to update their SonicOS firmware. In a recent blog post, Arctic Wolf confirmed that exploitation attempts have already been detected in the wild, following the release of proof-of-concept (POC) code by security researchers at Bishop Fox on February 7, 2025.
Security Officer Comments:
While POCs are intended to help organizations better understand security vulnerabilities and strengthen their defenses, they also provide detailed, step-by-step instructions on how to exploit these flaws, making it easier for less-skilled attackers to exploit them in real-world attacks. According to Arctic Wolf, the latest POC released by Bishop Fox allows unauthenticated actors to bypass multi-factor authentication, expose private information, and disrupt active VPN sessions. While exploitation attempts leveraging CVE-2024-53704 have been observed in the wild, specific details about these attacks have not yet emerged. Arctic Wolf has previously tracked ransomware groups like Akira targeting SSL VPN user accounts on SonicWall devices to gain initial access, underscoring the critical need for organizations to apply updates and secure these appliances promptly.
Suggested Corrections:
Bishop Fox notes that approximately 4,500 SonicWall devices are susceptible to CVE-2024-53704 and exposed to the internet, leaving ample opportunity for actors to target these appliances to gain access to organizational networks.
Recommendations from SonicWall:
https://arcticwolf.com/resources/blog/cve-2024-53704/
https://bishopfox.com/blog/sonicwall-cve-2024-53704-ssl-vpn-session-hijacking
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0003
https://www.bleepingcomputer.com/ne...veraged-in-attacks-after-poc-exploit-release/
On January 7, 2024, SonicWall released security updates to address an improper authentication vulnerability in the SSLVPN authentication mechanism, which could allow remote attackers to hijack active SSL VPN sessions without authentication. Tracked as CVE-2024-53704, this flaw affects SonicOS versions 7.1.x (up to 7.1.1-7058), 7.1.2-7019, and 8.0.0-8035, impacting multiple models of Gen 6 and Gen 7 firewalls, as well as SOHO series devices. At the time of the disclosure, SonicWall warned that exploitation of CVE-2024-53704 was imminent and strongly advised customers to update their SonicOS firmware. In a recent blog post, Arctic Wolf confirmed that exploitation attempts have already been detected in the wild, following the release of proof-of-concept (POC) code by security researchers at Bishop Fox on February 7, 2025.
Security Officer Comments:
While POCs are intended to help organizations better understand security vulnerabilities and strengthen their defenses, they also provide detailed, step-by-step instructions on how to exploit these flaws, making it easier for less-skilled attackers to exploit them in real-world attacks. According to Arctic Wolf, the latest POC released by Bishop Fox allows unauthenticated actors to bypass multi-factor authentication, expose private information, and disrupt active VPN sessions. While exploitation attempts leveraging CVE-2024-53704 have been observed in the wild, specific details about these attacks have not yet emerged. Arctic Wolf has previously tracked ransomware groups like Akira targeting SSL VPN user accounts on SonicWall devices to gain initial access, underscoring the critical need for organizations to apply updates and secure these appliances promptly.
Suggested Corrections:
Bishop Fox notes that approximately 4,500 SonicWall devices are susceptible to CVE-2024-53704 and exposed to the internet, leaving ample opportunity for actors to target these appliances to gain access to organizational networks.
Recommendations from SonicWall:
- Apply the patch as soon as possible for impacted products, latest patch builds are available for download on mysonicwall.com.
- To minimize the potential impact of SSLVPN vulnerabilities, please ensure that access is limited to trusted sources, or disable SSLVPN access from the Internet. For more information about disabling firewall SSLVPN access, see: how-can-i-setup-ssl-vpn.
- To minimize the potential impact of an SSH vulnerability, we recommend restricting firewall management to trusted sources or disabling firewall SSH management from Internet access.
- For more information about disabling firewall SSH management access, see: [how-can-i-restrict-SonicOS-admin-access](https://www.sonicwall.com/support/k...ct-admin-access-to-the-device/170503259079248.).
https://arcticwolf.com/resources/blog/cve-2024-53704/
https://bishopfox.com/blog/sonicwall-cve-2024-53704-ssl-vpn-session-hijacking
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0003
https://www.bleepingcomputer.com/ne...veraged-in-attacks-after-poc-exploit-release/