SonicWall Firewall Authentication Bypass Vulnerability Exploited in Wild Following PoC Release
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A critical authentication bypass vulnerability in SonicWall firewalls, tracked as CVE-2024-53704, is now being actively exploited in the wild, cybersecurity firms warn.<\/p>\n
The surge in attacks follows the public release of proof-of-concept (PoC) exploit code on February 10, 2025, by researchers at Bishop Fox, amplifying risks for organizations with unpatched devices.<\/p>\n
CVE-2024-53704<\/a>, rated 9.3 on the CVSS scale, resides in the SSL VPN authentication mechanism of SonicOS, the operating system powering SonicWall\u2019s Gen 6, Gen 7, and TZ80 firewalls.<\/p>\n Attackers can remotely hijack active VPN sessions by sending a crafted session cookie containing a base64-encoded null byte string to the Successful exploitation bypasses multi-factor authentication (MFA), exposes private network routes, and allows unauthorized access to internal resources. Compromised sessions also enable threat actors to terminate legitimate user connections.<\/p>\n SonicWall initially disclosed the flaw on January 7, 2025, urging immediate patching. At the time, the vendor reported no evidence of in-the-wild exploitation.<\/p>\n However, Bishop Fox\u2019s PoC publication<\/a> on February 10 lowered the barrier to entry for attackers. By February 12, Arctic Wolf observed<\/a> exploitation attempts originating from fewer than ten distinct IP addresses, primarily hosted on virtual private servers (VPS)<\/a>.<\/p>\n Security analysts attribute the rapid weaponization to the vulnerability\u2019s critical impact and the historical targeting of SonicWall devices by ransomware groups like Akira and Fog.<\/p>\n As of February 7, over 4,500 internet-exposed SonicWall SSL VPN<\/a> servers remained unpatched, according to Bishop Fox. Affected firmware versions include:<\/p>\n Patched versions, such as SonicOS 8.0.0-8037 and 7.1.3-7015, were released in January 2025.<\/p>\n The exploitation pattern mirrors previous campaigns. In late 2024, Akira<\/a> ransomware affiliates leveraged compromised SonicWall VPN accounts to infiltrate networks, often encrypting data within hours of initial access.<\/p>\n Arctic Wolf warns that CVE-2024-53704 could similarly serve as a gateway for ransomware deployment, credential theft, or espionage.<\/p>\n SonicWall and cybersecurity agencies emphasize urgent action:<\/p>\n With active exploitation underway, organizations must prioritize patching to mitigate risks. The convergence of public PoC code, high attack feasibility, and SonicWall\u2019s prominence in enterprise networks underscores the urgency. <\/p>\n As Arctic Wolf cautions, delays risk \u201ccatastrophic network compromise\u201d given the severity of the vulnerability and the agility of ransomware actors.<\/p>\n The post SonicWall Firewall Authentication Bypass Vulnerability Exploited in Wild Following PoC Release<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n\/cgi-bin\/sslvpnclient<\/code> endpoint.<\/p>\nCVE-2024-53704 Exploited in Wild<\/strong><\/h2>\n
\n
\n
Investigate Real-World Malicious Links & Phishing Attacks With\u00a0Threat Intelligence Lookup<\/strong>\u00a0-\u00a0Try for Free<\/a><\/code><\/strong><\/code><\/strong><\/p>\n