Cybersecurity experts raise alarms as attackers exploit a critical authentication bypass vulnerability (CVE-2024-53704) in SonicWall firewalls. This flaw affects the SSLVPN authentication mechanism and poses a significant risk to organizations using vulnerable SonicOS versions. With proof-of-concept (PoC) exploit code now publicly available, immediate action is essential to protect networks.
Overview of the Vulnerability
The vulnerability impacts SonicOS versions 7.1.x (up to 7.1.1-7058), 7.1.2-7019, and 8.0.0-8035. These versions are used by various models of Gen 6 and Gen 7 firewalls, as well as SOHO series devices. Attackers can exploit this flaw to hijack active SSL VPN sessions without authentication, granting them unauthorized access to sensitive networks.
SonicWall urges customers to upgrade their firewalls’ SonicOS firmware immediately. In a proactive email sent before the public disclosure, SonicWall provided security updates on January 7 and recommended firmware upgrades.
For administrators unable to apply the firmware update right away, SonicWall suggests several mitigation measures:
- Limit access to trusted sources.
- Restrict access from the Internet if not necessary.
Exploitation Attempts on the Rise
Cybersecurity firm Arctic Wolf reports that they detected exploitation attempts targeting this vulnerability shortly after the PoC became public. The released exploit allows unauthenticated threat actors to bypass multi-factor authentication (MFA), disclose private information, and disrupt ongoing VPN sessions.
“The ease of exploitation and the availability of threat intelligence make it imperative for organizations to upgrade to a fixed firmware version,” Arctic Wolf emphasizes.
Timeline of Events
- February 7: Internet scans revealed approximately 4,500 unpatched SonicWall SSL VPN servers exposed online.
- February 10: Security researchers at Bishop Fox published a PoC exploit for the vulnerability.
- January 7: SonicWall released security updates and urged customers to upgrade their firmware.
Historical Context
SonicWall firewalls have faced attacks in the past. Ransomware affiliates like Akira and Fog have targeted these devices. Arctic Wolf warned that at least 30 intrusions began with remote network access through compromised SonicWall VPN accounts.
