SonicWall Firewall Authentication Bypass Vulnerability Exploited in Wild Following PoC Release

A critical authentication bypass vulnerability in SonicWall firewalls, tracked as CVE-2024-53704, is now being actively exploited in the wild, cybersecurity firms warn.

The surge in attacks follows the public release of proof-of-concept (PoC) exploit code on February 10, 2025, by researchers at Bishop Fox, amplifying risks for organizations with unpatched devices.

CVE-2024-53704, rated 9.3 on the CVSS scale, resides in the SSL VPN authentication mechanism of SonicOS, the operating system powering SonicWall’s Gen 6, Gen 7, and TZ80 firewalls.

Attackers can remotely hijack active VPN sessions by sending a crafted session cookie containing a base64-encoded null byte string to the /cgi-bin/sslvpnclient endpoint.

Successful exploitation bypasses multi-factor authentication (MFA), exposes private network routes, and allows unauthorized access to internal resources. Compromised sessions also enable threat actors to terminate legitimate user connections.

SonicWall initially disclosed the flaw on January 7, 2025, urging immediate patching. At the time, the vendor reported no evidence of in-the-wild exploitation.

CVE-2024-53704 Exploited in Wild

However, Bishop Fox’s PoC publication on February 10 lowered the barrier to entry for attackers. By February 12, Arctic Wolf observed exploitation attempts originating from fewer than ten distinct IP addresses, primarily hosted on virtual private servers (VPS).

Security analysts attribute the rapid weaponization to the vulnerability’s critical impact and the historical targeting of SonicWall devices by ransomware groups like Akira and Fog.

As of February 7, over 4,500 internet-exposed SonicWall SSL VPN servers remained unpatched, according to Bishop Fox. Affected firmware versions include:

• SonicOS 7.1.x (up to 7.1.1-7058)
• SonicOS 7.1.2-7019
• SonicOS 8.0.0-8035

Patched versions, such as SonicOS 8.0.0-8037 and 7.1.3-7015, were released in January 2025.

The exploitation pattern mirrors previous campaigns. In late 2024, Akira ransomware affiliates leveraged compromised SonicWall VPN accounts to infiltrate networks, often encrypting data within hours of initial access.

Arctic Wolf warns that CVE-2024-53704 could similarly serve as a gateway for ransomware deployment, credential theft, or espionage.

SonicWall and cybersecurity agencies emphasize urgent action:

1. Upgrade firmware to fixed versions (e.g., 8.0.0-8037 or 7.1.3-7015).
2. Disable SSL VPN on public interfaces if immediate patching isn’t feasible.
3. Restrict VPN access to trusted IP ranges and enforce MFA for remaining users.

With active exploitation underway, organizations must prioritize patching to mitigate risks. The convergence of public PoC code, high attack feasibility, and SonicWall’s prominence in enterprise networks underscores the urgency.

As Arctic Wolf cautions, delays risk “catastrophic network compromise” given the severity of the vulnerability and the agility of ransomware actors.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free