A critical security flaw, CVE-2024-53704, has been identified in SonicWall’s SonicOS SSLVPN application, enabling remote attackers to bypass authentication and hijack active SSL VPN sessions.
This vulnerability affects several SonicWall firewall models running specific versions of SonicOS, including Gen6 and Gen7 devices.
The flaw stems from an improper authentication mechanism in the SSLVPN component, allowing attackers to gain unauthorized access to private networks without requiring valid credentials.
The vulnerability has a CVSS v3 score of 8.2, underlining its high severity.
Exploitation details have been publicly disclosed by security researchers at Bishop Fox, significantly increasing the risk of attacks on unpatched systems.
Exploitation Details and Risks
The exploit leverages a specially crafted session cookie containing a base64-encoded string of null bytes.
When sent to the SSL VPN authentication endpoint (/cgi-bin/sslvpnclient), the flawed authentication mechanism incorrectly validates the session as legitimate. This allows attackers to:
- Hijack active SSL VPN sessions.
- Access Virtual Office bookmarks.
- Obtain configuration settings for SonicWall’s NetExtender client.
- Open VPN tunnels to internal networks.
- Log out legitimate users, disrupting their connections.
The attack does not require prior knowledge of usernames or passwords and bypasses multi-factor authentication (MFA).
Once inside, attackers can navigate sensitive network resources, potentially leading to data breaches or ransomware deployment.
Affected Systems
The vulnerability impacts the following SonicOS versions and devices:
- Gen7 Firewalls: TZ270, TZ370, TZ470, TZ570, NSa series (2700–6700), NSsp series (10700–15700). Affected versions include 7.1.x (up to 7.1.1-7058) and 7.1.2-7019.
- Gen6 Firewalls: SOHO series, TZ300–TZ600 series, NSA series (2650–6650). Affected versions are 6.5.4.15-117n and older.
- TZ80: Version 8.0.0-8035.
- Gen7 NSv Virtual Appliances: NSv270–NSv870 on AWS and Azure platforms.
SonicWall has released patches to address this vulnerability:
- Gen7 Firewalls: Update to SonicOS 7.1.3-7015 or higher.
- TZ80: Upgrade to version 8.0.0-8037 or higher.
- Gen6 Firewalls: Apply firmware version 6.5.5.1-6n or newer.
If immediate patching is not feasible:
- Disable SSLVPN access or restrict it to trusted IP addresses.
- Limit SSH management access from public networks.
Organizations are urged to implement these updates promptly as proof-of-concept (PoC) exploits are now publicly available, increasing the likelihood of real-world attacks.
With over 4,500 internet-facing SonicWall firewalls reportedly still unpatched as of February 2025, the exploitation risk for CVE-2024-53704 remains critical.
Administrators must act swiftly to secure their systems by applying the recommended patches or mitigating measures to prevent unauthorized access and potential cyberattacks targeting their networks.
