Attackers are actively exploiting a critical authentication bypass vulnerability in SonicWall firewalls to gain unauthorized network access.
The vulnerability tracked as CVE-2024-53704, with a critical CVSS score of 9.8, allows remote attackers to hijack active SSL VPN sessions without requiring authentication.
Security researchers at Bishop Fox have thoroughly documented how the flaw in SonicWall’s SonicOS allows attackers to bypass the authentication mechanism in the SSL VPN component.
The vulnerability affects SonicOS versions 7.1.x (up to 7.1.1-7058), 7.1.2-7019, and 8.0.0-8035, used across multiple models of Gen 6 and Gen 7 firewalls and SOHO series devices.
“An unprivileged attacker can send a request to the SSL VPN, and as long as at least one VPN user is connected, hijack their session,” researchers explained.
The exploit works by sending a specially crafted session cookie containing a base64-encoded string of null bytes to the SSL VPN authentication endpoint at ‘/cgi-bin/sslvpnclient’.
This triggers an incorrect validation of the session, as the mechanism assumes that the request is associated with an active VPN session.
On February 14, 2025, cybersecurity company Arctic Wolf reported detecting exploitation attempts “shortly after the PoC was made public,” confirming SonicWall’s concerns about the vulnerability’s exploitation potential.
“The released PoC exploit allows an unauthenticated threat actor to bypass MFA, disclose private information, and interrupt running VPN sessions,” Arctic Wolf stated.
The summary of the vulnerability is given below:
| Risk Factors | Details |
| Affected Products | SonicWall NSv devices, Gen6 Hardware Firewalls (versions prior to 6.5.5.1-6n), Gen7 Firewalls, SonicOS versions 7.1.x (up to 7.1.1-7058), 7.1.2-7019, and 8.0.0-8035 |
| Impact | – Bypass of SSLVPN authentication mechanisms- Hijacking of active SSL VPN sessions- Unauthorized access to private networks |
| Exploit Prerequisites | At least one active SSL VPN session must exist, Exploitation does not require authentication or user interaction |
| CVSS 3.1 Score | 9.8 (Critical) |
Once successful, attackers can:
“That means the attacker can gain access to anything the victim can reach inside the private network,” Williams emphasized.
SonicWall initially disclosed the vulnerability on January 7, 2025, urging customers to upgrade their firewalls’ firmware immediately. Bishop Fox researchers successfully reproduced the vulnerability and released a proof-of-concept exploit approximately one month after patches were available.
Scans indicated that approximately 4,500 internet-facing SonicWall SSL VPN servers remained unpatched, and later reports showed the number growing to 11,000 vulnerable devices.
CISA has added CVE-2024-53704 to its Known Exploited Vulnerabilities Catalog and requested that organizations patch affected systems before March 11, 2025.
SonicWall has released patched versions that address this vulnerability:
For organizations unable to patch immediately, SonicWall recommends limiting access to trusted sources and restricting access from the Internet entirely if not needed.
Security experts emphasize that despite the significant reverse-engineering effort required to uncover the vulnerability, the exploit itself is trivial to execute, making immediate patching critical for all affected organizations.
Powered by
