cbcvebase.
CVE-2024-53704
published 2025-01-09

CVE-2024-53704: An Improper Authentication vulnerability in the SSLVPN authentication mechanism allows a remote attacker to bypass authentication.

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2025-03-11
Exploited in the wild
EPSS
95.13%
99.9th percentile
An Improper Authentication vulnerability in the SSLVPN authentication mechanism allows a remote attacker to bypass authentication.

Affected

4 ranges
VendorProductVersion rangeFixed in
sonicwallsonicos
sonicwallsonicos
sonicwallsonicos
sonicwallsonicos7.1.1-7040 – 7.1.1-7058

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/sslvpnclient
cookieswap=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
yara
GET /cgi-bin/sslvpnclient?launchplatform= HTTP/1.1 with Cookie: swap=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
  • The exploit sends a specially crafted session cookie ('swap') containing a base64-encoded string of null bytes to the SSLVPN endpoint. Detect HTTP requests to /cgi-bin/sslvpnclient with a 'swap' cookie value consisting entirely of base64-encoded null bytes (e.g., 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=').
  • Successful exploitation causes the victim VPN session to be logged out and the attacker gains session access. Monitor for unexpected VPN session terminations correlated with new session establishment from a different source IP.
  • Nuclei template matcher looks for the string 'NELaunchX1' in the HTTP 200 response body from /cgi-bin/sslvpnclient, indicating successful session hijack. Use this as a detection signature in HTTP response monitoring.
  • After exploitation, the Set-Cookie response header will contain a new 'swap' session token (alphanumeric). Monitor for Set-Cookie: swap= responses to unauthenticated requests targeting /cgi-bin/sslvpnclient.
  • Use Shodan query 'http.html_hash:-1466805544' to identify internet-exposed SonicWall SSL VPN servers potentially vulnerable to CVE-2024-53704.
  • ·Affected SonicOS versions are 7.1.x (up to 7.1.1-7058), 7.1.2-7019, and 8.0.0-8035. The vulnerability only applies to devices with SSL VPN or SSH management enabled.
  • ·The exploit only hijacks *active* SSL VPN sessions; there must be an existing authenticated session on the target device for the attack to succeed.
  • ·A companion vulnerability CVE-2024-40762 (weak PRNG in SSL VPN token generator) may allow token prediction and authentication bypass in certain cases, compounding the risk of CVE-2024-53704.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.