Around 5,000 SonicWall firewalls are still vulnerable to a high-severity vulnerability (CVE-2024-53704), which SonicWall has warned could be exploited imminently. Bishop Fox researchers recently announced that they were able to successfully exploit this vulnerability on unpatched SonicWall firewalls and are planning to release details of their exploit code on February 10.
According to the researchers, while it required significant reverse-engineering effort to find and exploit the vulnerability, the actual exploit is relatively simple in nature. Despite this, there is currently no evidence to suggest that attackers have developed their own exploit for this vulnerability.
In the past, cybercriminals took advantage of vulnerabilities in SonicWall products shortly after patches were released. For example, after the release of a patch for CVE-2024-40766, it took ransomware groups Akira and Fog only a matter of weeks (or possibly days) to devise an exploit. This vulnerability was related to an improper access control issue in SonicWall SonicOS management access and SSL VPN.
A fix for CVE-2024-53704 is available in the form of new firmware that was released on January 7, 2024. This firmware addresses an improper authentication vulnerability in SonicOS’s SSLVPN authentication mechanism, which allows remote attackers to bypass authentication. The affected platforms and build versions include Gen7 firewalls, Gen7 NSv virtual firewalls, and the TZ80 next-generation firewall for small offices, home offices, and IoT.
SonicWall has urged its partners to implement the security update quickly to mitigate the threat posed by the vulnerability. The company recommended limiting access to trusted sources or disabling SSL VPN access from the internet to minimize the potential impact of SSL VPN vulnerabilities.
Bishop Fox researchers confirmed that the vulnerability can be exploited remotely without authentication, enabling attackers to hijack active SSL VPN client sessions. Attackers with control of an active SSL VPN session could access user bookmarks, obtain client configuration profiles, open VPN tunnels, access private networks, and terminate user connections.
Despite their ability to exploit the vulnerability, the researchers have chosen not to disclose more details about the flaw and exploit, giving organizations time to patch their systems before making the information public.
Recently, SonicWall also warned about attackers exploiting CVE-2025-23006, a critical vulnerability affecting its Secure Mobile Access (SMA) 1000 Series appliances. This is not the first time SonicWall products have been targeted, as attackers previously leveraged zero-day flaws in SonicWall Email Security appliances in 2021.
Overall, organizations using SonicWall firewalls should prioritize applying patches and implementing security updates to protect against potential exploitation of vulnerabilities like CVE-2024-53704. Vigilance and prompt action can help prevent cybercrime incidents and safeguard critical infrastructure.