On February 10, 2025, Bishop Fox published technical details and proof-of-concept (PoC) exploit code for CVE-2024-53704, a high-severity authentication bypass vulnerability caused by a flaw in the SSLVPN authentication mechanism in SonicOS, the operating system used by SonicWall firewalls. Shortly after the PoC was made public, Arctic Wolf began observing exploitation attempts of this vulnerability in the threat landscape.
The released PoC exploit allows an unauthenticated threat actor to bypass MFA, disclose private information, and interrupt running VPN sessions. An advisory for CVE-2024-53704 had originally been published in early January by SonicWall after having been responsibly disclosed to them by security researchers. As of the publication of the advisory, SonicWall stated they had not yet observed any exploitation of the vulnerability in the wild.
Historically, threat actors have leveraged authentication bypass vulnerabilities on firewall and VPN gateways to deploy ransomware. In late 2024, Arctic Wolf observed Akira ransomware affiliates targeting SSL VPN user accounts on SonicWall devices as an initial access vector in their ransomware attacks. Given the ease of exploitation and available threat intelligence, Arctic Wolf strongly recommends upgrading to a fixed firmware to address this vulnerability.
Recommendation for CVE-2024-53704
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version of SonicOS.
| Affected Firewall Model | Affected SonicOS Version | Fixed SonicOS Version |
| Gen7 Firewalls | 7.1.x (7.1.1-7058 and older versions), and version 7.1.2-7019. | 7.1.3-7015 and higher |
| Gen7 NSv | 7.1.x (7.1.1-7058 and older versions), and version 7.1.2-7019. | 7.1.3-7015 and higher |
| TZ80 | 8.0.0-8035 | 8.0.0-8037 and higher |
Note: SonicWall SSL VPN SMA100 and SMA1000 series products are not affected by CVE-2024-53704.
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
Workaround(s)
In their advisory, SonicWall advises minimizing the impact of SSLVPN vulnerabilities by restricting access to trusted sources or disabling SSLVPN access from public networks.
For more information about disabling firewall SSLVPN access, see: how-can-i-setup-ssl-vpn.
References
Resources
