The surge in attacks follows the public release of proof-of-concept (PoC) exploit code on February 10, 2025, by researchers at Bishop Fox, amplifying risks for organizations with unpatched devices.
CVE-2024-53704, rated 9.3 on the CVSS scale, resides in the SSL VPN authentication mechanism of SonicOS, the operating system powering SonicWall’s Gen 6, Gen 7, and TZ80 firewalls.
Attackers can remotely hijack active VPN sessions by sending a crafted session cookie containing a base64-encoded null byte string to the /cgi-bin/sslvpnclient
Successful exploitation bypasses multi-factor authentication (MFA), exposes private network routes, and allows unauthorized access to internal resources. Compromised sessions also enable threat actors to terminate legitimate user connections.
SonicWall initially disclosed the flaw on January 7, 2025, urging immediate patching. At the time, the vendor reported no evidence of in-the-wild exploitation.
However, Bishop Fox’s PoC publication on February 10 lowered the barrier to entry for attackers. By February 12, Arctic Wolf observed exploitation attempts originating from fewer than ten distinct IP addresses, primarily hosted on virtual private servers (VPS).
Security analysts attribute the rapid weaponization to the vulnerability’s critical impact and the historical targeting of SonicWall devices by ransomware groups like Akira and Fog.
As of February 7, over 4,500 internet-exposed SonicWall SSL VPN servers remained unpatched, according to Bishop Fox. Affected firmware versions include:
Patched versions, such as SonicOS 8.0.0-8037 and 7.1.3-7015, were released in January 2025.
The exploitation pattern mirrors previous campaigns. In late 2024, Akira ransomware affiliates leveraged compromised SonicWall VPN accounts to infiltrate networks, often encrypting data within hours of initial access.
Arctic Wolf warns that CVE-2024-53704 could similarly serve as a gateway for ransomware deployment, credential theft, or espionage.
SonicWall and cybersecurity agencies emphasize urgent action:
With active exploitation underway, organizations must prioritize patching to mitigate risks. The convergence of public PoC code, high attack feasibility, and SonicWall’s prominence in enterprise networks underscores the urgency.
As Arctic Wolf cautions, delays risk “catastrophic network compromise” given the severity of the vulnerability and the agility of ransomware actors.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
The post SonicWall Firewall Authentication Bypass Vulnerability Exploited in Wild Following PoC Release appeared first on Cyber Security News.
CountrySelect Pro is a lightweight vanilla JavaScript country selector that adds a searchable dropdown with…
Editium is a lightweight WYSIWYG editor that supports both React and Vanilla JavaScript with a…
A new open-source edge AI system called π RuView is turning ordinary WiFi infrastructure into…
SELMA, Ala. (AP) — Sixty-one years after state troopers attacked Civil Rights marchers on the…
A Janesville family is creating a scholarship foundation in memory of their son, 14-year-old Kase…
Spoilers follow for Star Trek: Starfleet Academy Episode 9, “300th Night,” which is available on…
This website uses cookies.