SonicWall CVE-2024-53704 Bug Under Attack

Author

Newsroom
February 19, 2025

There are active exploitation attempts targeting an authentication bypass vulnerability in several versions of SonicWall’s SonicOS SSLVPN, a bug that can let an attacker hijack active VPN sessions. SonicWall disclosed the flaw in January and released a patch for it, but attackers have recently begun to exploit it in the wild. 

Why It Matters: This vulnerability is rated critical and an adversary who is able to exploit it can bypass authentication and take control of a victim’s active VPN session. With that, the attacker “can read the user’s Virtual Office bookmarks, obtain a client configuration profile for NetExtender, open a VPN tunnel, access private networks available to the hijacked account, and log out the session”, according to an analysis of the bug by researchers at Bishop Fox. SonicWall’s Gen 7 firewalls, which contain the vulnerable software, are popular in enterprises and edge security devices are very popular targets for adversaries. 

Key Details

  • CVE-2024-53704 is an authentication bypass flaw that can give an attacker control of a victim’s VPN session. “This vulnerability allows remote attackers to bypass authentication on affected installations of SonicWALL NSv. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of Base64-encoded session cookies. The issue results from an incorrect implementation of an authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system,” an advisory from Trend Micro’s Zero Day Initiative says. 

  • CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on Feb. 18

  • Bishop Fox researchers found more than 4,500 vulnerable servers as of Feb. 7 and said that detecting exploitation activity against the bug is not simple

  • “With a custom logging configuration, a firewall administrator may be able to correlate access logs from multiple source IP addresses to a single SSL VPN session, which may provide evidence of session hijacking if one of the source IPs is associated with other suspicious or malicious behavior,” the Bishop Fox researchers said.

Attackers have shown a fondness for targeting edge security products in recent months, so any publicly disclosed vulnerabilities in those products should be treated as a serious issue. The patch for this vulnerability has been available for more than a month, and enterprises that haven’t updated their SonicWall products yet should do so as soon as possible.