Skip to main content
close search
site logo
Dive Brief

SonicWall authentication flaw under threat of active exploitation

Weeks after the company released a patch, researchers warn the CVE is being targeted by threat actors.

Published Feb. 19, 2025
David Jones's headshot
Reporter
New generation internet technologies and security bug.
Devrimb

Dive Brief:

  • Security researchers warn a critical vulnerability in SonicWall’s SonicOS is under active exploitation. The flaw, listed as CVE-2024-53704, is an improper authentication vulnerability in the SSL VPN mechanism, which can allow a remote actor to bypass authentication. 
  • SonicWall issued an advisory and patched the vulnerability on Jan. 7. However, researchers from Bishop Fox released a proof-of-concept earlier this month, and Arctic Wolf researchers last week warned they had evidence of threat actors targeting the vulnerability.
  • The Cybersecurity and Infrastructure Security Agency on Tuesday added CVE-2024-53704 to its known exploited vulnerabilities catalog. 

Dive Insight:

SonicWall patched the vulnerability after researchers from Computest Security disclosed the flaw. At the time, SonicWall said it was not aware of active exploitation. 

However, Bishop Fox researchers released technical details showing how attackers can hijack active SSL VPN sessions and gain unauthorized access to a network. 

According to Bishop Fox, an attacker can read a user’s Virtual Office bookmarks, get a client configuration profile for NetExtender, access private networks and conduct other activities.

“As the scope of the vulnerability is currently understood, it could be used by threat actors to bypass authentication (including MFA) to disrupt service availability, and for disclosure of confidential information,” Stefan Hostetler, lead threat intelligence researcher at Arctic Wolf, said via email. 

SonicWall said “there are no reports of exploitation related to this vulnerability,” in an emailed statement. 

The company however reiterated a statement issued last week, urging customers and partners to upgrade their firmware. 

Caitlin Condon, director of vulnerability intelligence at Rapid7, said the firm was aware of reports of active exploitation, but had not seen any successful exploitation in its production environments. 

Arctic Wolf researchers said they have previously seen Akira ransomware actors target SSL VPN accounts on SonicWall devices as initial access points for attacks. 

SonicWall in January warned that threat actors were targeting a critical vulnerability, listed as CVE-2025-23006, in SMA 1000 appliances. 

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
Invary’s Mission to Ensure the Confidentiality and Security of Systems at Runtime Accelerates …
From Invary
February 03, 2025
Whalebone Secures €13.35M in Funding to Accelerate Global Growth and Innovation
From Whalebone
February 18, 2025
Cobalt Iron Compass® Named a DCIG TOP 5 Enterprise VMware Backup Solution for 2025-26
From Cobalt Iron
February 05, 2025
Whalebone Strengthens APAC Cybersecurity with New Major Telco Partners
From Whalebone
February 11, 2025
Editors' picks
Latest in Vulnerability
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.