CVE-2024-53704
published 2025-01-09CVE-2024-53704: An Improper Authentication vulnerability in the SSLVPN authentication mechanism allows a remote attacker to bypass authentication.
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2025-03-11
Exploited in the wild
EPSS
95.13%
99.9th percentile
An Improper Authentication vulnerability in the SSLVPN authentication mechanism allows a remote attacker to bypass authentication.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sonicwall | sonicos | — | — |
| sonicwall | sonicos | — | — |
| sonicwall | sonicos | — | — |
| sonicwall | sonicos | 7.1.1-7040 – 7.1.1-7058 | — |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
GET /cgi-bin/sslvpnclient?launchplatform= HTTP/1.1 with Cookie: swap=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
- →The exploit sends a specially crafted session cookie ('swap') containing a base64-encoded string of null bytes to the SSLVPN endpoint. Detect HTTP requests to /cgi-bin/sslvpnclient with a 'swap' cookie value consisting entirely of base64-encoded null bytes (e.g., 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='). ↗
- →Successful exploitation causes the victim VPN session to be logged out and the attacker gains session access. Monitor for unexpected VPN session terminations correlated with new session establishment from a different source IP. ↗
- →Nuclei template matcher looks for the string 'NELaunchX1' in the HTTP 200 response body from /cgi-bin/sslvpnclient, indicating successful session hijack. Use this as a detection signature in HTTP response monitoring. ↗
- →After exploitation, the Set-Cookie response header will contain a new 'swap' session token (alphanumeric). Monitor for Set-Cookie: swap= responses to unauthenticated requests targeting /cgi-bin/sslvpnclient. ↗
- →Use Shodan query 'http.html_hash:-1466805544' to identify internet-exposed SonicWall SSL VPN servers potentially vulnerable to CVE-2024-53704. ↗
- ·Affected SonicOS versions are 7.1.x (up to 7.1.1-7058), 7.1.2-7019, and 8.0.0-8035. The vulnerability only applies to devices with SSL VPN or SSH management enabled. ↗
- ·The exploit only hijacks *active* SSL VPN sessions; there must be an existing authenticated session on the target device for the attack to succeed. ↗
- ·A companion vulnerability CVE-2024-40762 (weak PRNG in SSL VPN token generator) may allow token prediction and authentication bypass in certain cases, compounding the risk of CVE-2024-53704. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rwgq-wj29-fx3r: An Improper Authentication vulnerability in the SSLVPN authentication mechanism allows a remote attacker to bypass authentication
ghsa_unreviewed·2025-01-09
CVE-2024-53704 [CRITICAL] CWE-287 GHSA-rwgq-wj29-fx3r: An Improper Authentication vulnerability in the SSLVPN authentication mechanism allows a remote attacker to bypass authentication
An Improper Authentication vulnerability in the SSLVPN authentication mechanism allows a remote attacker to bypass authentication.
VulnCheck
SonicWall SonicOS SSLVPN Improper Authentication Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-53704 [CRITICAL] CWE-287 SonicWall SonicOS SSLVPN Improper Authentication Vulnerability
SonicWall SonicOS SSLVPN Improper Authentication Vulnerability
SonicWall SonicOS contains an improper authentication vulnerability in the SSLVPN authentication mechanism that allows a remote attacker to bypass authentication.
Affected: SonicWall SonicOS
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://arcticwolf.com/resources/blog/cve-2024-53704/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-02-24&host_type=src&vulnerability=cve-2024-53704; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=202
CISA
SonicWall SonicOS SSLVPN Improper Authentication Vulnerability
cisa·2025-02-18·CVSS 9.8
CVE-2024-53704 [CRITICAL] CWE-287 SonicWall SonicOS SSLVPN Improper Authentication Vulnerability
Vulnerability: SonicWall SonicOS SSLVPN Improper Authentication Vulnerability
Affected: SonicWall SonicOS
SonicWall SonicOS contains an improper authentication vulnerability in the SSLVPN authentication mechanism that allows a remote attacker to bypass authentication.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0003 ; https://nvd.nist.gov/vuln/detail/CVE-2024-53704
Remediation Due Date: 2025-03-11
Suricata
ET WEB_SPECIFIC_APPS SonicOS SSLVPN Authentication Bypass HTTP Cookie (swap) (CVE-2024-53704)
suricata·2025-02-13·CVSS 9.8
CVE-2024-53704 [CRITICAL] ET WEB_SPECIFIC_APPS SonicOS SSLVPN Authentication Bypass HTTP Cookie (swap) (CVE-2024-53704)
ET WEB_SPECIFIC_APPS SonicOS SSLVPN Authentication Bypass HTTP Cookie (swap) (CVE-2024-53704)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SonicOS SSLVPN Authentication Bypass HTTP Cookie (swap) (CVE-2024-53704)"; flow:established,to_server; flowbits:set,ET.CVE_2024_53704; http.method; content:"GET"; http.uri; content:"/cgi-bin/sslvpnclient|3f|"; fast_pattern; content:"launchplatform|3d|"; http.cookie; content:"swap|3d|"; pcre:"/^[\x00-\xff]{32}/R"; reference:url,bishopfox.com/blog/sonicwall-cve-2024-53704-ssl-vpn-session-hijacking; reference:cve,2024-53704; classtype:web-application-attack; sid:2060055; rev:1; metadata:affected_product SonicWall, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2025_02_13, cve CVE_2024_53704, deployme
Suricata
ET WEB_SPECIFIC_APPS SonicOS SSLVPN Authentication Bypass Response (CVE-2024-53704)
suricata·2025-02-13·CVSS 9.8
CVE-2024-53704 [CRITICAL] ET WEB_SPECIFIC_APPS SonicOS SSLVPN Authentication Bypass Response (CVE-2024-53704)
ET WEB_SPECIFIC_APPS SonicOS SSLVPN Authentication Bypass Response (CVE-2024-53704)
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS SonicOS SSLVPN Authentication Bypass Response (CVE-2024-53704)"; flow:established,to_client; flowbits:isset,ET.CVE_2024_53704; http.header; to_lowercase; content:"set-cookie|3a 20|swap|3d|"; fast_pattern; http.response_body; content:".userName|20 3d 20 22|"; content:".domainName|20 3d 20 22|"; reference:url,bishopfox.com/blog/sonicwall-cve-2024-53704-ssl-vpn-session-hijacking; reference:cve,2024-53704; classtype:web-application-attack; sid:2060056; rev:1; metadata:affected_product SonicWall, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2025_02_13, cve CVE_2024_53704, deployment Perimeter, deployment Inter
Suricata
ET WEB_SPECIFIC_APPS SonicOS SSLVPN Authentication Bypass (CVE-2024-53704)
suricata·2025-01-30·CVSS 9.8
CVE-2024-53704 [CRITICAL] ET WEB_SPECIFIC_APPS SonicOS SSLVPN Authentication Bypass (CVE-2024-53704)
ET WEB_SPECIFIC_APPS SonicOS SSLVPN Authentication Bypass (CVE-2024-53704)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SonicOS SSLVPN Authentication Bypass (CVE-2024-53704)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/__api__/v1/client/sessionstatus|3f|"; fast_pattern; content:"cookie|3d|"; threshold:type threshold, track by_src, count 30, seconds 10; reference:url,attackerkb.com/topics/UB3P3xHVAo/cve-2024-53704/rapid7-analysis; reference:cve,2024-53704; classtype:web-application-attack; sid:2059786; rev:1; metadata:affected_product SonicWall, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2025_01_30, cve CVE_2024_53704, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Hig
Nuclei
SSL VPN Session Hijacking
nuclei·CVSS 9.8
CVE-2024-53704 [CRITICAL] SSL VPN Session Hijacking
SSL VPN Session Hijacking
An Improper Authentication vulnerability in the SSLVPN authentication mechanism allows a remote attacker to bypass authentication.
Template:
id: CVE-2024-53704
info:
name: SSL VPN Session Hijacking
author: johnk3r
severity: critical
description: |
An Improper Authentication vulnerability in the SSLVPN authentication mechanism allows a remote attacker to bypass authentication.
impact: |
Unauthenticated attackers can hijack SSL VPN sessions by bypassing authentication mechanisms and gaining unauthorized access to the VPN.
remediation: |
Update SonicWall to a version that patches CVE-2024-53704 as specified in PSIRT advisory SNWLID-2025-0003.
reference:
- https://bishopfox.com/blog/sonicwall-cve-2024-53704-ssl-vpn-session-hijacking
- https://psirt.global.sonicwal
Greynoiseio
Active Reconnaissance Campaign Targets SonicWall Firewalls Through Commercial Proxy Infrastructure
blogs_greynoiseio·2026-02-27
Active Reconnaissance Campaign Targets SonicWall Firewalls Through Commercial Proxy Infrastructure
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
blogs_greynoiseio·2026-02-02
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bleepingcomputer
SonicWall firewall bug leveraged in attacks after PoC exploit release
blogs_bleepingcomputer·2025-02-14·CVSS 9.8
CVE-2024-53704 [CRITICAL] SonicWall firewall bug leveraged in attacks after PoC exploit release
## SonicWall firewall bug leveraged in attacks after PoC exploit release
## Sergiu Gatlan
Attackers are now targeting an authentication bypass vulnerability affecting SonicWall firewalls shortly after the release of proof-of-concept (PoC) exploit code.
This security flaw ( CVE-2024-53704 ), tagged by CISA as critical severity and found in the SSLVPN authentication mechanism, impacts SonicOS versions 7.1.x (up to 7.1.1-7058), 7.1.2-7019, and 8.0.0-8035, used by multiple models of Gen 6 and Gen 7 firewalls and SOHO series devices.
Successful exploitation enables remote attackers to hijack active SSL VPN sessions without authentication, which grants them unauthorized access to targets' networks.
SonicWall urged customers to immediately upgrade their firewalls' SonicOS firmware to prevent
Bleepingcomputer
SonicWall firewall exploit lets hackers hijack VPN sessions, patch now
blogs_bleepingcomputer·2025-02-11·CVSS 9.8
CVE-2024-53704 [CRITICAL] SonicWall firewall exploit lets hackers hijack VPN sessions, patch now
## SonicWall firewall exploit lets hackers hijack VPN sessions, patch now
## Bill Toulas
Security researchers at Bishop Fox have published complete exploitation details for the CVE-2024-53704 vulnerability that allows bypassing the authentication mechanism in certain versions of the SonicOS SSLVPN application.
The vendor warned about the high exploitation possibility of the flaw in a bulletin on January 7, urging administrators to upgrade their SonicOS firewalls' firmware to address the problem.
"We have identified a firewall vulnerability that is susceptible to actual exploitation for customers with SSL VPN or SSH management enabled, and that should be mitigated immediately by upgrading to the latest firmware," warned SonicWall in an email sent to customers at the time.
The flaw allo
Bleepingcomputer
SonicWall warns of SMA1000 RCE flaw exploited in zero-day attacks
blogs_bleepingcomputer·2025-01-23·CVSS 9.8
CVE-2025-23006 [CRITICAL] SonicWall warns of SMA1000 RCE flaw exploited in zero-day attacks
## SonicWall warns of SMA1000 RCE flaw exploited in zero-day attacks
## Bill Toulas
SonicWall is warning about a pre-authentication deserialization vulnerability in SonicWall SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), with reports that it has been exploited as a zero-day in attacks.
The flaw, tracked as CVE-2025-23006 and rated critical (CVSS v3 score: 9.8), could allow remote unauthenticated attackers to execute arbitrary OS commands under specific conditions.
The vulnerability affects all firmware versions of the SMA100 appliance up to 12.4.3-02804 (platform-hotfix).
SonicWall highlighted that it has received reports that the vulnerability was exploited as a zero-day in attacks.
"SonicWall PSIRT has been notified of possible active exploitation
Checkpoint
13th January – Threat Intelligence Report
blogs_checkpoint·2025-01-13
CVE-2025-0242 13th January – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 13th January – Threat Intelligence Report
The International Civil Aviation Organization (ICAO), that is part of the UN, confirmed a compromise of its recruitment database that exposed 42,000 recruitment applications. The data contains records from April 2016 to July 2024 and includes recruitment-related information, such as names, email addresses, dates of birth, and employment history.
Argentina’s airport security police (PSA) has been compromised with threat actors gaining access to its payroll systems. The at
Bleepingcomputer
SonicWall urges admins to patch exploitable SSLVPN bug immediately
blogs_bleepingcomputer·2025-01-08·CVSS 9.8
[CRITICAL] SonicWall urges admins to patch exploitable SSLVPN bug immediately
## SonicWall urges admins to patch exploitable SSLVPN bug immediately
## Bill Toulas
SonicWall is emailing customers urging them to upgrade their firewall's SonicOS firmware to patch an authentication bypass vulnerability in SSL VPN and SSH management that is "susceptible to actual exploitation."
In an email sent to SonicWall customers and shared on Reddit , the firewall vendor says the patches are available as of yesterday, and all impacted customers should install them immediately to prevent exploitation.
"We have identified a high (CVE Score 8.2) firewall vulnerability that is susceptible to actual exploitation for customers with SSL VPN or SSH management enabled and that should be mitigated immediately by upgrading to the latest firmware, which will be web-posted tomorrow, Jan 7th,
arXiv
Sift or Get Off the PoC: Applying Information Retrieval to Vulnerability Research with SiftRank
arxiv_fulltext·2025-12-05
Sift or Get Off the PoC: Applying Information Retrieval to Vulnerability Research with SiftRank
## Abstract
Security research is fundamentally a problem of resource constraint and
consequent prioritization. There is simply too much attack surface and
too little time and energy
to spend analyzing it all.
The most effective security researchers are often those who are most
skilled at intuitively deciding which part of an expansive attack
surface to investigate.
We demonstrate that this problem---more generally, the problem of
selecting the most promising option from among many possibilities---can be
reframed as an information retrieval
problem, and solved using document ranking techniques with large
language models performing the heavy lifting as general-purpose rankers.
We present SiftRank, a ranking algorithm achieving O(n) complexity
through three key mechanisms: listwise ranking
2025-01-09
Published
2025-02-18
Added to CISA KEV
Exploited in the wild