5,000+ SonicWall firewalls still open to attack (CVE-2024-53704)
5,000+ SonicWall firewalls are still vulnerable to attack via a high-severity vulnerability (CVE-2024-53704) that, according to SonicWall, should be considered “at imminent risk of exploitation”.
The warning came last week from Bishop Fox researchers, after they successfully exploited the vulnerability on unpatched SonicWall firewalls and announced they will be releasing details of their exploit code on February 10.
“Although significant reverse-engineering effort was required to find and exploit the vulnerability, the exploit itself is rather trivial,” they noted.
While there is currently no indication that attackers have managed to create their own exploit and use it, it previously took Akira and Fog ransomware outfits mere weeks (and possibly days) after a patch release to devise an exploit for CVE-2024-40766, an improper access control vulnerability in the SonicWall SonicOS management access and SSL VPN.
A fix for CVE-2024-53704 is available
New firmware that fixes CVE-2024-53704, an improper authentication vulnerability in the SonicOS’s SSLVPN authentication mechanism which allows remote attacker to bypass authentication, has been released on January 7, 2024.
The list of platforms and build versions affected by CVE-2024-53704 includes:
- Gen7 firewalls (TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670, NSa 2700, NSa 3700,NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700, NSsp 15700)
- Gen7 NSv virtual firewalls (NSv 270, NSv 470, NSv 870)
- TZ80 (a subscription-based next-generation firewall for small offices, home offices, and IoT)
By sending an email notification to its partners, SonicWall additionally emphasized the importance of quickly mitigating the threat by implementing the security update.
“To minimize the potential impact of SSL VPN vulnerabilities, please ensure that access is limited to trusted sources, or disable SSL VPN access from the Internet,” the company added.
Last Thursday, Bishop Fox researchers confirmed that the vulnerability can be exploited remotely and without authentication, and that it enables hijacking of active SSL VPN client sessions.
“An attacker with control of an active SSL VPN session can read the user’s Virtual Office bookmarks, obtain a client configuration profile for NetExtender, open a VPN tunnel, access private networks available to the hijacked account, and log out the session (terminating the user’s connection as well),” they shared.
They also decided not to make attackers’ lives easier by releasing more details about the flaw and the exploit, and to allow organizations enough time to patch before going public with it.
A few days ago, SonicWall has warned about attackers taking advantage of CVE-2025-23006, a critical vulnerability affecting its Secure Mobile Access (SMA) 1000 Series appliances.
In 2021 attackers leveraged three zero-day flaws in SonicWall Email Security appliances.