Attackers are now targeting an authentication bypass vulnerability affecting SonicWall firewalls shortly after the release of proof-of-concept (PoC) exploit code.
This security flaw (CVE-2024-53704), tagged by CISA as critical severity and found in the SSLVPN authentication mechanism, impacts SonicOS versions 7.1.x (up to 7.1.1-7058), 7.1.2-7019, and 8.0.0-8035, used by multiple models of Gen 6 and Gen 7 firewalls and SOHO series devices.
Successful exploitation enables remote attackers to hijack active SSL VPN sessions without authentication, which grants them unauthorized access to targets’ networks.
SonicWall urged customers to immediately upgrade their firewalls’ SonicOS firmware to prevent exploitation in an email sent before disclosing the vulnerability publicly and releasing security updates on January 7.
The company also shared mitigation measures for admins who couldn’t immediately secure their devices, including limiting access to trusted sources and restricting access from the Internet entirely if not needed.
On Thursday, cybersecurity company Arctic Wolf said they started detecting exploitation attempts targeting this vulnerability in attacks “shortly after the PoC was made public,” confirming SonicWall’s fears regarding the vulnerability’s increased exploitation potential.
“The released PoC exploit allows an unauthenticated threat actor to bypass MFA, disclose private information, and interrupt running VPN sessions,” Arctic Wolf stated.
“Given the ease of exploitation and available threat intelligence, Arctic Wolf strongly recommends upgrading to a fixed firmware to address this vulnerability.”
PoC exploit released one month after patch
Security researchers at Bishop Fox published a PoC exploit on February 10, roughly one month after patches were released.
Bishop Fox added that roughly 4,500 unpatched SonicWall SSL VPN servers were exposed online according to internet scans on February 7.
“Proof-of-Concepts (PoCs) for the SonicOS SSLVPN Authentication Bypass Vulnerability (CVE-2024-53704) are now publicly available,” SonicWall warned after the exploit code was released.
“This significantly increases the risk of exploitation. Customers must immediately update all unpatched firewalls (7.1.x & 8.0.0). If applying the firmware update is not possible, disable SSLVPN.”
In the past, Akira and Fog ransomware affiliates have also targeted SonicWall firewalls. Arctic Wolf warned in October that at least 30 intrusions started with remote network access through SonicWall VPN accounts.