Cyber Blog

Security researchers warn of ongoing exploitation of a critical vulnerability in SonicWall’s SonicOS.

Key Findings:

• The vulnerability, identified as CVE-2024-53704, allows remote attackers to bypass authentication in the SSL VPN mechanism.
• SonicWall issued a patch on January 7, but researchers report evidence of active exploitation.
• The Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its known exploited vulnerabilities catalog.

Ongoing Exploitation and Threat Landscape

SonicWall initially patched CVE-2024-53704 after researchers from Computest Security disclosed the flaw. At the time of the patch release, the company stated it had no evidence of active exploitation. However, subsequent findings suggest otherwise.

Researchers at Bishop Fox recently published a proof-of-concept demonstrating how attackers can hijack active SSL VPN sessions, potentially enabling unauthorized access to networks. Arctic Wolf researchers also confirmed that threat actors are actively targeting this vulnerability.

According to Bishop Fox, attackers exploiting this flaw could:

• Read a user’s Virtual Office bookmarks
• Retrieve client configuration profiles for NetExtender
• Access private networks
• Execute other unauthorized activities

Stefan Hostetler, lead threat intelligence researcher at Arctic Wolf, highlighted the potential consequences, stating that the vulnerability could allow attackers to bypass authentication, including multi-factor authentication (MFA), disrupt service availability, and expose confidential information.

Company and Industry Response

SonicWall has reiterated that, as of now, there are no confirmed reports of successful exploitation. However, the company strongly urges customers and partners to update their firmware immediately to mitigate risks.

Caitlin Condon, director of vulnerability intelligence at Rapid7, acknowledged reports of active exploitation but stated that the firm has not observed any successful attacks within its production environments.

Arctic Wolf researchers noted that Akira ransomware actors have previously targeted SSL VPN accounts on SonicWall devices as an initial access vector for attacks. Additionally, SonicWall had already warned in January of threat actors targeting another critical vulnerability, CVE-2025-23006, in SMA 1000 appliances.

Mitigation Recommendations

Security experts advise organizations using SonicWall devices to:

• Immediately apply the latest firmware updates
• Monitor for any signs of unusual network activity
• Strengthen authentication mechanisms and implement robust access controls

With active exploitation now confirmed, organizations must act swiftly to secure their networks against potential threats.