SonicOS SSL VPN Authentication Bypass Vulnerability (CVE-2024-53704)

A proof-of-concept exploit has been published for CVE-2024-53704, which affects SonicWall NGFWs

Threat ID:: CC-4619
Threat Severity:: High
Published:: 12 February 2025 3:30 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

A proof-of-concept exploit has been published for CVE-2024-53704, which affects SonicWall NGFWs

Affected platforms

The following platforms are known to be affected:

SonicWall SonicOS

Versions: 7.1.x (7.1.1-7058 and earlier), 7.1.2-7019

SonicWall Gen 7 Next Generation Firewall (NGFW)

TZ270
TZ270W
TZ370
TZ370W
TZ470
TZ470W
TZ570
TZ570W
TZ570P
TZ670
NSa 2700
NSa 3700
NSa 4700
NSa 5700
NSa 6700
NSsp 10700
NSsp 11700
NSsp 13700
NSsp 15700

Also Gen7 NSv

NSv 270
NSv 470
NSv 870

Versions: 8.0.0-8035

SonicWall TZ80

Threat details

Exploitation of CVE-2024-53704

A security firm has reported active exploitation of CVE-2024-53704.

SonicWall's SNWLID-2025-0003 advisory also discloses that proof-of-concept exploits for the vulnerability are publicly available, stating:

'Proof-of-Concepts (PoCs) for the SonicOS SSL VPN Authentication Bypass Vulnerability (CVE-2024-53704) are now publicly available. This significantly increases the risk of exploitation.'

Due to public proof-of-concept exploits and observed exploitation, NHS England's National CSOC urge organisations to patch immediately.

Introduction

A proof-of-concept (PoC) exploit has been published by security researchers for an authentication bypass vulnerability in the SonicOS SSL VPN component. SonicWall appliances provide virtual private network (VPN) and 'next-gen' firewall capabilities.

SonicWall formally disclosed and released security updates addressing CVE-2024-53704 on 07 January 2025. Successful exploitation of CVE-2024-53704 could allow a remote, unauthenticated attacker to bypass authentication and hijack a legitimate SSL VPN session.

Researchers at Bishop Fox have stated 'an attacker with control of an active SSL VPN session can read the user’s Virtual Office bookmarks, obtain a client configuration profile for NetExtender, open a VPN tunnel, access private networks available to the hijacked account, and log out the session (terminating the user’s connection as well).'

Threat updates

Date	Update
14 Feb 2025	Cyber Alert updates to reflect active exploitation of CVE-2024-53704 in-the-wild

Remediation advice

Affected organisations must review SonicWall security advisory SNWLID-2025-0003 and apply the relevant updates.

Remediation steps

Type	Step
Patch	SNWLID-2025-0003 Apply security updates as soon as practicable. psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0003
Guidance	To minimize the potential impact of SSL VPN vulnerabilities, please ensure that access is limited to trusted sources, or disable SSL VPN access from the Internet. For more information about disabling firewall SSL VPN access, see this link. https://www.sonicwall.com/support/knowledge-base/how-can-i-setup-ssl-vpn/170505609285133

Type

Step

Patch

SNWLID-2025-0003

Apply security updates as soon as practicable.

psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0003

Guidance

To minimize the potential impact of SSL VPN vulnerabilities, please ensure that access is limited to trusted sources, or disable SSL VPN access from the Internet. For more information about disabling firewall SSL VPN access, see this link.

https://www.sonicwall.com/support/knowledge-base/how-can-i-setup-ssl-vpn/170505609285133

Definitive source of threat updates

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0003

CVE Vulnerabilities

Status Published

CVE-2024-53704

An Improper Authentication vulnerability in the SSLVPN authentication mechanism allows a remote attacker to bypass authentication.

Last edited: 14 February 2025 2:12 pm