Researchers report active attacks on SonicWall SSLVPN flaw, patch now
Take action: If you are running generation six and generation seven SonicWall firewalls, start patching IMMEDIATELY. Take this one seriously, it's now actively exploited and has a public PoC. Locking down SSL VPN may help temporarily, but it's not a real fix because firewalls are regularly used to for VPN sessions.
Learn More
Researchers report that the security vulnerability in SonicWall firewalls, tracked as CVE-2024-53704, is currently under active exploitation following the public release of proof-of-concept (PoC) exploit code by Bishop Fox on February 10, 2025.
The vulnerability is a high-severity authentication bypass flaw in the SSLVPN authentication mechanism of SonicOS, the operating system powering SonicWall firewalls.
The vulnerability allows attackers to bypass Multi-Factor Authentication (MFA), gain unauthorized access to private information, disrupt active VPN sessions, open VPN tunnels, access private networks available to hijacked accounts and terminate user connections
Affected Systems:
- Gen7 Firewalls running SonicOS 7.1.x (7.1.1-7058 and older), and version 7.1.2-7019
- Gen7 NSv running SonicOS 7.1.x (7.1.1-7058 and older), and version 7.1.2-7019
- TZ80 running SonicOS 8.0.0-8035
As of February 7, 2025, approximately 4,500 internet-facing SonicWall SSL VPN servers remained unpatched and vulnerable to exploitation.
Arctic Wolf has reported evidence of exploitation attempts since February 12, 2025, originating from fewer than ten distinct sources, primarily from VPS hosting providers. These exploitation attempts have been accompanied by scanning for other vulnerabilities.
Users should update to patched versions:
- Version 7.1.3-7015 and higher for Gen7 Firewalls and NSv
- Version 8.0.0-8037 and higher for TZ80
If organizations are unable to immediately patch, SonicWall recommends either restricting SSLVPN access to trusted sources or completely disabling SSLVPN access from public networks
Update - As of 3rd of March 2025, BishopFox are warning that the exploitation of CVE-2024-53704 is trivial, allowing them to identify compromised users, obtain configuration files, access private routes, and establish VPN tunnel connections without knowing user passwords, effectively granting access to any network resources accessible to the victim and potentially disconnecting legitimate users from their sessions.
As of 7th of April 2025, SonicWall wanrs that Proof-of-Concepts (PoCs) for the SonicOS SSLVPN Authentication Bypass Vulnerability (CVE-2024-53704) are publicly available, which significantly increases the risk of exploitation. Customers are advised to immediately update all unpatched firewalls (7.1.x & 8.0.0). If applying the firmware update is not possible, disable SSLVPN.
