SonicWall CVE-2024-53704: SSL VPN Session Hijacking

Bishop Fox researchers have successfully exploited CVE-2024-53704, an authentication bypass affecting the SSL VPN component of unpatched SonicWall firewalls. According to SonicWall, SonicOS versions 7.1.x (7.1.1-7058 and older), 7.1.2-7019, and 8.0.0-8035 are affected. The researchers confirmed that the attack can be performed remotely, without authentication, and enables hijacking of active SSL VPN client sessions.

An attacker with control of an active SSL VPN session can read the user’s Virtual Office bookmarks, obtain a client configuration profile for NetExtender, open a VPN tunnel, access private networks available to the hijacked account, and log out the session (terminating the user’s connection as well).

The vendor advisory for CVE-2024-53704 was only published two weeks ago, and SonicWall reported no evidence of exploitation in the wild. Our current research indicates more than 5,000 affected SonicWall devices remain accessible on the internet. Although significant reverse-engineering effort was required to find and exploit the vulnerability, the exploit itself is rather trivial.

Bishop Fox's responsible disclosure policy is to disclose details publicly 90 days from the date of vendor notification. The issue was reported to SonicWall by Daan Keuper, Thijs Alkemade and Khaled Nassar of Computest Security on November 5, 2024. SonicWall released patches on January 7, 2025. To allow for a complete one-month patch cycle by affected customers, Bishop Fox plans to release details of this exploit code on February 10th, 2025.

As always, customers of Bishop Fox Cosmos were notified shortly after the vulnerability was announced. For customers who would like more detail sooner, we can arrange to share details privately.

As SonicWall emphasizes in their release, we recommend upgrading your SonicWall firewalls quickly to avoid exploitation.

For more vulnerability intelligence insights, visit Bishop Fox Labs.