SonicWall firewalls now under attack: Patch ASAP or risk intrusion via your SSL VPN
Roses are red, violets are blue, CVE-2024-53704 is sweet for a ransomware crew
updated Miscreants are actively abusing a high-severity authentication bypass bug in unpatched internet-facing SonicWall firewalls following the public release of proof-of-concept exploit code.
The vulnerability, tracked as CVE-2024-53704, is a flaw in the SSL VPN authentication mechanism in SonicOS, the operating system that SonicWall firewalls use. If exploited, it allows remote attackers to bypass authentication on vulnerable SonicOS equipment, hijack the devices' active SSL VPN sessions, and gain unauthorized access to affected networks.
"Shortly after the proof-of-concept was made public, Arctic Wolf began observing exploitation attempts of this vulnerability in the threat landscape," the threat monitoring and detection outfit warned Thursday.
SonicWall first disclosed CVE-2024-53704 in early January. The security hole affects multiple Gen 7 and TZ80 SonicWall firewalls. The good news is upgrading to the latest version of SonicOS will plug the hole.
Given that attackers ranging from suspected Chinese spies to ransomware criminals have a history of exploiting buggy SonicWall devices, you'd hope users patched this hole immediately.
Not everyone got the memo, it appears.
- SonicWall flags critical bug likely exploited as zero-day, rolls out hotfix
- Akira ransomware is encrypting victims again following pure extortion fling
- More than 178,000 SonicWall firewalls are exposed to old denial of service bugs
- Suspected Chinese cyber spies target unpatched SonicWall devices
On January 30, Bishop Fox researchers said they were able exploit the flaw in unpatched firewalls and called the attack "trivial."
SonicWall echoed this call to action in an updated security advisory, and said "customers must immediately update." If for whatever reason you can't update to a fixed firmware version, SonicWall suggests disabling the SSL VPN mechanism.
More specifically on the outcome of exploitation, Bishop Fox noted:
An attacker with control of an active SSL VPN session can read the user’s Virtual Office bookmarks, obtain a client configuration profile for NetExtender, open a VPN tunnel, access private networks available to the hijacked account, and log out the session (terminating the user’s connection as well).
Later, on February 10, Bishop Fox published full exploit details, including code, providing step-by-step instructions for how to bypass authentication and hijack active SSL VPN sessions. The researchers also noted that, as of February 7, about 4,500 internet-facing SonicWall SSL VPN servers remain unpatched.
"If you have not yet upgraded your SonicWall firewalls to the latest available firmware, please follow SonicWall's advice and upgrade immediately," Bishop Fox senior security engineer Jon Williams urged.
We couldn't agree more. Arctic Wolf also told us today: "We see evidence of CVE-2024-53704 exploitation attempts since February 12, 2025, with fewer than ten distinct sources. The traffic originates from a handful of VPS hosting providers, and the activity includes scanning for a variety of other vulnerabilities as well." ®
Updated to add at 1645 UTC on February 18, 2025
According to SonicWall's Product Security Incident Response Team, "There are currently no reports of exploitation related to this vulnerability."