SonicWall Firewall Vulnerability CVE-2024-53704 Exploited to Hijack SSL VPN Sessions and Breach Networks

SonicWall Firewall Flaw Exploited to Breach Networks Without Authorization

Cybersecurity researchers have uncovered a critical flaw in SonicWall firewalls that has been actively exploited by cybercriminals to breach private networks. The vulnerability, tracked as CVE-2024-53704, allows attackers to bypass authentication mechanisms, including multi-factor authentication (MFA), and hijack active SSL VPN sessions without requiring user credentials.

A Critical Authentication Bypass Vulnerability

The vulnerability, identified by researchers at Bishop Fox, is rooted in the improper handling of session cookies in SonicWall's SSL VPN component within the SonicOS operating system. This flaw enables remote attackers to gain unauthorized access to sensitive data and internal networks by exploiting weaknesses in the session validation process. Specifically, the vulnerability allows attackers to bypass SSL VPN authentication by manipulating Base64-encoded session cookies.

The exploit is dangerous because it does not require user interaction or knowledge of the target VPN session. As long as at least one user is connected to the VPN, the attacker can hijack the session with ease. Once exploited, attackers can gain access to crucial data, initiate VPN tunnels to private networks, or even terminate the victim’s active session.

Exploited by Threat Actors

The flaw in SonicWall firewalls has made it an attractive vector for cybercriminals, including advanced persistent threat (APT) groups and ransomware gangs like Akira. Cybersecurity company Arctic Wolf reported seeing exploitation attempts just days after the release of a proof-of-concept (PoC) exploit in February 2025. The attack allows malicious actors to bypass critical security features like MFA and access networks without any authentication.

The attack is opportunistic, meaning that it can be launched against any vulnerable system with an active SSL VPN session, without prior knowledge of the victim’s login credentials or network configuration. This exploit has been widely observed across various industries globally, as attackers search for vulnerable devices.

SonicWall Firewalls Affected

The vulnerability affects a wide range of SonicWall firewalls, especially those running outdated versions of SonicOS. Affected models include Gen7 firewalls, TZ80 devices, and several other products from the Gen6 series. SonicWall’s failure to properly secure its SSL VPN authentication mechanism leaves exposed devices vulnerable to attack.

According to the research conducted by Bishop Fox, attackers can hijack active VPN sessions by sending a specially crafted session cookie containing a base64-encoded string of null bytes to the /cgi-bin/sslvpnclient endpoint on vulnerable firewalls. When this request is received, SonicWall’s authentication mechanism mistakenly validates the session, giving the attacker unauthorized access to the internal network.

The Exploit Process and Attack Impact

Once the vulnerability is successfully exploited, the attacker can hijack the VPN session and perform a variety of malicious activities:

1. Access Sensitive Information: Attackers can retrieve critical data such as Virtual Office bookmarks and NetExtender configuration files.

2. Open VPN Tunnels: Malicious actors can create unauthorized VPN tunnels to internal networks, bypassing corporate security.

3. Terminate Active Sessions: The attacker can log out the legitimate user from the VPN, disrupting their connection and gaining further control of the system.

4. Stealthy Exploitation: As the vulnerability does not require user interaction and can occur without any warning, it remains difficult for organizations to detect until the damage is already done.

Global Threat and Active Exploitation

After the release of the PoC exploit in February 2025, the cybersecurity community saw a dramatic increase in exploitation attempts targeting vulnerable SonicWall devices. CISA (Cybersecurity and Infrastructure Security Agency) included CVE-2024-53704 in its Known Exploited Vulnerabilities Catalog, urging organizations to apply patches before March 11, 2025.

Initial scans of devices exposed to the internet using platforms like Shodan revealed over 11,000 vulnerable devices still unpatched. The number of vulnerable devices continues to rise, underscoring the severity of the situation and the urgent need for organizations to address the flaw before malicious actors exploit it further.

Mitigation Measures and Recommendations

SonicWall has acknowledged the vulnerability and released patches to address the issue. Organizations must immediately update their SonicWall devices to the following patched versions:

• SonicOS 7.0.1-5165 or later for Gen7 firewalls

• SonicOS 7.1.3-7015 or higher for Gen7 firewalls

• SonicOS 8.0.0-8037 or higher for TZ80 devices

For organizations unable to immediately apply the patches, SonicWall recommends taking the following interim measures:

1. Limit SSL VPN Access: Restrict access to trusted sources only, and if SSL VPN access is not required, disable it entirely from the internet.

2. Restrict Firewall Management: If possible, restrict SSH management access to trusted IP addresses and prevent access from public networks to reduce the risk of exploitation.

3. Monitor Network Traffic: Administrators should monitor network traffic for unusual activity and configure custom logging to detect any suspicious behavior related to SSL VPN sessions.

4. Educate Users: Educating employees about cybersecurity best practices, such as recognizing suspicious activity, is essential to preventing exploitation.

Why Timely Remediation is Critical

The flaw's simplicity—coupled with its severe impact—makes this vulnerability a critical threat to organizations that use affected SonicWall devices. Exploiting the vulnerability requires minimal effort on the part of attackers, making it an attractive option for malicious actors looking to infiltrate corporate networks.

Bishop Fox researchers emphasized the urgency of patching this vulnerability. While discovering the flaw required reverse engineering, exploiting it is trivial. Once attackers gain unauthorized access, they can move laterally within the network, escalate privileges, and cause widespread damage.

Conclusion: The Need for Urgent Action

SonicWall’s CVE-2024-53704 authentication bypass vulnerability poses a significant risk to organizations worldwide. The ability for attackers to hijack VPN sessions without authentication and gain access to sensitive data makes it a highly attractive exploit for cybercriminals, including sophisticated ransomware groups.

With over 11,000 vulnerable devices still exposed to the internet, immediate action is necessary. Organizations must apply the latest patches, limit VPN access, and monitor their systems for any signs of exploitation. Failure to address this vulnerability can lead to significant data breaches, financial losses, and reputational damage.

As SonicWall and cybersecurity experts continue to urge, timely patching and securing network systems are the most effective ways to mitigate the risks associated with this critical vulnerability. CISA’s inclusion of CVE-2024-53704 in the Known Exploited Vulnerabilities catalog further stresses the need for prompt remediation, ensuring that affected organizations act swiftly to secure their networks and prevent further compromise.