- February 20, 2025
- Beazley Security Labs
SonicWall SSL VPN Session Hijacking (CVE-2024-53704)
On January 7th, Sonicwall published an advisory regarding an improper authentication vulnerability in their SonicOS SSL VPN service. Criticality of this vulnerability was enhanced February 10, 2025 when trivial proof-of-concept code emerged, and attacks began being observed in the wild.
Executive Summary
On January 7th, Sonicwall published an advisory regarding an improper authentication vulnerability in their SonicOS SSL VPN service. Criticality of this vulnerability was enhanced February 10, 2025 when trivial proof-of-concept code emerged, and attacks began being observed in the wild.
The critical vulnerability (CVE-2024-53704) affects SonicWall SSL VPN products, allowing attackers to hijack already established user sessions. The proof-of-concept exploit leverages a flaw in how VPN sessions are managed, allowing an adversary to impersonate a legitimate user with an active VPN session. If successful, the adversary can gain unauthorized access to the same resources as the impersonated user.
SonicWall has released an update to their original advisory, which confirms proof-of-concept exploits are now publicly available and recommends customers urgently upgrade impacted SonicWall Firewall products.
Beazley Security recommends organizations immediately apply patches for affected SonicWall devices and review affected systems for signs of compromise.
Affected Systems or Products
The devices and firmware versions impacted by this vulnerability are listed in the table below:
Device | Affected Firmware Versions | Fixed Firmware Versions |
Gen7 firewalls | 7.1.x (7.1.1-7058 and older versions) 7.1.2-7019 | 7.1.3-7015 and higher |
Gen7 NSv virtual firewalls | 7.1.x (7.1.1-7058 and older versions), and version 7.1.2-7019. | 7.1.3-7015 and higher |
TZ80 (small office) | Version 8.0.0-8035 | 8.0.0-8037 and higher |
NOTE: SonicWall SSL VPN SMA100 and SMA1000 series are not affected by this specific vulnerability.
Mitigations / Workarounds
Beazley Security strongly encourages the available firmware updates be applied as soon as possible. If the updates cannot be applied, Beazley Security recommends restricting access to the appliance’s SSL VPN to only trusted networks until the device can be updated. SonicWall has also recommended the SSL VPN functionality be temporarily disabled in cases where this is feasible. SSL VPN configuration guidance can be found here.
Patches
SonicWall’s advisory suggests that updates have been made available to fix this issue. Please see the fixed firmware versions table above for version specific information. Generally, patches can be found by performing the following steps:
- 1.
Log in to https://www.mysonicwall.com/.
- 2.
Find the “Resources & Support | My Downloads” section and select the impacted model from the list provided.
Additional details on how to upgrade SonicOS firmware can be found on SonicWall’s support page. If further assistance is required with the upgrade process, it is recommended to contact SonicWall technical support.
Indicators of Compromise
SonicWall has released the following event log sample after a successful exploit of the publicly available proof of concept:
ID: [event_ID] Event: SSL VPN Session Message Type: Simple Message String Message:
“User [SSLVPN_User]: Reuse SSLVPN session for the no. time(s)”
At the time of this writing, there have not been other publicly shared IoCs related to active exploitation of this vulnerability.
Technical Details
SonicWall has not publicly disclosed many technical details about this vulnerability or specific devices that have been exploited in the wild. However, researchers who discovered the vulnerability at Bishop Fox have released an extensive write up regarding the SSL VPN session-hijacking vulnerability along with proof-of-concept exploit code.
According to Bishop Fox, the issue lies in how session tokens are tracked and generated by the SSL VPN device. The SSL VPN functionality does not differentiate tokens across sessions or users, which allows a single token to be reused for concurrent sessions.
The session token issue is further abused by tricking the NetExtender protocol into revealing a valid session cookie. Because the appliance does not enforce proper access controls on particular NetExtender requests, an attacker does not need to be authenticated. By sending a specific, unauthenticated request to the cgi-bin/sslvpnclient endpoint on a vulnerable SSL VPN appliance, the VPN will leak established session information:
"https://<IP>:4433/cgi-bin/sslvpnclient?launchplatform=",
cookies={"swap": base64.b64encode(b"\x00" * 32).decode()},
verify=False
As a result, the VPN responds by returning a “swap” session cookie for the oldest active SSL VPN session along with a connection profile, allowing the attacker to impersonate and establish a session as this user.
How Beazley Security is responding
Beazley Security is monitoring client perimeter devices through our Karma product to identify impacted devices and support organizations to remediate any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.
