%20(1).webp?w=1600&resize=1600,900&ssl=1)
Bishop Fox researchers have successfully exploited CVE-2024-53704, a critical authentication bypass vulnerability in SonicWall firewalls, enabling remote attackers to hijack active SSL VPN sessions and gain unauthorized access to private networks.
This flaw, rooted in the improper handling of Base64-encoded session cookies, underscores the urgency for organizations to apply patches released by SonicWall in January 2025.
Vulnerability Details
CVE-2024-53704 affects the SSL VPN component of SonicWall’s SonicOS, impacting multiple firewall models, including Gen7 and TZ80 devices running outdated firmware versions.
The vulnerability allows attackers to bypass authentication mechanisms, including multi-factor authentication (MFA), by exploiting improperly implemented session cookie validation.
Once exploited, attackers can hijack active VPN sessions without requiring user credentials.
Through this exploit, attackers gain access to sensitive data such as Virtual Office bookmarks and NetExtender configuration files, initiate VPN tunnels to private networks, and even terminate the victim’s session.
The exploit is opportunistic—any active session can be hijacked without prior knowledge of the user or target.
Exploitation and Active Threats
While uncovering the vulnerability required significant reverse engineering, the actual exploit is trivial.
Bishop Fox researchers developed proof-of-concept (PoC) code that demonstrates how a crafted Base64-encoded session cookie can trigger unauthorized access.
This simplicity has made the vulnerability attractive to threat actors, including ransomware groups like Akira, who use it as an initial access vector.
Since the PoC’s release in February 2025, exploitation attempts have been observed globally.
Cybersecurity agencies like CISA have added CVE-2024-53704 to their Known Exploited Vulnerabilities catalog, urging organizations to patch immediately.
Mitigation and Recommendations
SonicWall released patches addressing CVE-2024-53704 on January 7, 2025.
Affected organizations must upgrade their firmware to secure versions such as SonicOS 7.1.3-7015 or higher for Gen7 firewalls and 8.0.0-8037 or higher for TZ80 devices.
Additionally, SonicWall recommends restricting SSL VPN access to trusted sources or disabling it entirely from public networks as an interim measure.
To detect potential exploitation, administrators should monitor network traffic for unusual patterns and implement custom logging configurations to identify suspicious activity tied to SSL VPN sessions.
Regular security assessments and user education on cybersecurity best practices are also crucial.
With over 11,000 vulnerable devices identified on platforms like Shodan during initial scans, CVE-2024-53704 poses a significant risk if left unpatched.
Organizations must act swiftly to mitigate this threat by applying updates and reinforcing network security measures.
As Bishop Fox researchers emphasized, the exploit’s trivial nature, coupled with its severe impact, makes timely remediation critical.
Also Read:
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=This%20flaw,%20rooted%20in%20the%20improper%20handling%20of%20Base64-encoded%20session%20cookies,%20underscores%20the%20urgency%20for%20organizations.){kind=link}