Critical SonicWall SSL VPN Vulnerability (CVE-2024-53704) Allows Remote Session Hijacking

Severe Vulnerability in SonicWall SSL VPN Poses High-Risk to Organizations, Exploitation Ongoing

A critical vulnerability in SonicWall’s SSL VPN solution has placed thousands of organizations at risk of severe security breaches, with attackers able to hijack VPN sessions and gain unauthorized access to sensitive internal networks. The flaw, tracked as CVE-2024-53704, was discovered by researchers at Bishop Fox and affects several versions of SonicOS, the operating system running on SonicWall firewalls.

According to the findings, nearly 4,500 internet-exposed SonicWall firewalls remain unpatched, leaving them vulnerable to exploitation. This flaw is particularly concerning for businesses that rely on SonicWall for secure remote access, as it enables attackers to hijack active SSL VPN sessions remotely, bypassing authentication mechanisms with minimal effort.

Vulnerability Details and Exploitation

SonicWall’s SSL VPN product, which is widely used for providing secure remote access to corporate networks, is impacted by a high-severity authentication bypass vulnerability. The flaw exists within the SSLVPN authentication process of SonicOS versions 7.1.x (7.1.1-7058 and older), 7.1.2-7019, and 8.0.0-8035, which are still used by thousands of organizations worldwide. Researchers at Bishop Fox were able to confirm that remote attackers can exploit the flaw to hijack active SSL VPN sessions without any need for authentication, putting organizational security at immediate risk.

Bishop Fox’s detailed analysis of the vulnerability found that attackers could send a specially crafted session cookie—containing a base64-encoded string of null bytes—to the SSL VPN authentication endpoint (/cgi-bin/sslvpnclient). This results in improper session validation, which forces legitimate users to be logged out while attackers can take control of the session. Once in control, attackers can access sensitive information, such as VPN configuration profiles, private network routes, and other resources the hijacked user has access to.

“The exploit itself is trivial,” stated one of the researchers, “but the impact of a successful attack can be devastating, as attackers can gain unfettered access to critical internal resources.”

The Attack Process

To successfully hijack a VPN session, an attacker can inject a crafted base64-encoded session cookie into the authentication request. Once the attacker’s cookie is accepted, they gain access to the same session and can carry out the following actions:

• Gain access to the victim’s Virtual Office bookmarks: These bookmarks can contain sensitive links to internal systems.
• Obtain the NetExtender client configuration profile: This configuration can allow the attacker to launch a VPN tunnel and potentially access private networks.
• Hijack the session entirely: Attackers can log out the legitimate user, causing them to lose access while the attacker maintains control.

Further investigation revealed that if the attacker injects 32 null bytes in the base64-encoded cookie, they can bypass the authentication and gain session access. This flaw stems from the improper handling of session cookies in the SSL VPN authentication code, a vulnerability exacerbated by the lack of proper verification for cookie integrity.

Vulnerable Versions and Immediate Patch

SonicWall acknowledged the vulnerability and released patches on January 7, 2025, for the affected SonicOS versions. However, many organizations have yet to apply the updates, leaving them exposed to attacks. The vulnerability has been actively exploited in the wild, and as of February 2025, a significant number of systems remain unpatched.

The flaw is particularly dangerous because of its remote exploitability. Exploiting the vulnerability does not require any prior authentication, making it easy for attackers to target organizations without needing internal credentials or access. The exploitation process is straightforward, requiring only the crafting of a malicious session cookie.

The Exploitation Pathway

The vulnerability was identified after detailed reverse engineering of the SonicOS firmware by Bishop Fox researchers. They found that a crucial part of the code, the getSslvpnSessionFromCookie function, was susceptible to manipulation, where the absence of proper handling for null byte characters allowed attackers to bypass the session validation entirely.

Through dynamic analysis, the researchers were able to track how the malicious cookie interacts with SonicWall’s systems. They used a third-party Python tool, nxBender, to simulate the NetExtender client’s behavior and confirm the vulnerability’s potential for remote exploitation. This tool helped them analyze how the crafted session cookie could be used to hijack an active session, even if no authentication was required.

Once the session hijacking is successful, attackers can obtain full control of the session, which includes the ability to read the victim’s session data, access internal routes, and perform other unauthorized actions on the network.

Recommendations for Affected Organizations

As of now, approximately 4,500 internet-facing SonicWall devices remain vulnerable to this attack. To mitigate the risk, organizations must update their firewalls to the latest patched version of SonicOS. SonicWall has strongly urged all users to apply the patch immediately to prevent exploitation.

Security experts also recommend that organizations implement enhanced monitoring practices to detect potential session hijacking. Custom logging configurations could help administrators identify suspicious behaviors, such as multiple source IP addresses accessing the same VPN session.

Furthermore, administrators should ensure that access control measures and session management protocols are closely reviewed to limit potential impacts from future vulnerabilities.

Conclusion

The discovery of CVE-2024-53704 is a stark reminder of the security risks that can arise when network devices, particularly those handling sensitive VPN traffic, are left unpatched. While the vulnerability is relatively easy to exploit, the impact of an attack could be catastrophic for organizations relying on SonicWall firewalls for secure remote access.

With a growing number of SonicWall devices still vulnerable, companies are urged to take swift action and apply the latest patches. Failure to do so could result in serious security breaches, unauthorized access to private networks, and the disruption of critical business operations.

For more information and updates, SonicWall customers should refer to the official advisory released by the vendor.