Patch Sonicwall now! Attackers bypass authentication of firewalls
Attacks are currently taking place on Sonicwall firewalls. Security updates are available for download.
(Image: Skorzewiak/Shutterstock.com)
Certain Sonicwall firewalls are vulnerable and attackers are currently actively exploiting a security vulnerability. In doing so, they are hijacking VPN connections.
Security researchers from Arctic Wolf warn of this in an article. The attacks began shortly after the publication of proof-of-concept code (PoC). The vulnerability (CVE-2024-53704"high") has been known since early 2025. At that time, Sonicwall already warned that attacks were highly likely. This has now been confirmed. According to the researchers, around 4500 vulnerable firewalls were still accessible via the internet at the beginning of February. Admins should act quickly.
Software vulnerability
The vulnerability affects the SonicOS SSLVPN component. Because an authentication algorithm is not implemented correctly, errors occur when processing Base64 cookies and attackers can bypass authentication. Attacks are possible remotely and without authentication. The researchers have compiled further technical details on the attack process in a report.
Attackers then take control of VPN sessions. In such a position, they can spread throughout the network and install ransomware, for example. The specific impact of the current attacks and the extent to which they are taking place is currently unknown.
Patch now!
Videos by heise
In a warning message, Sonicwall writes that only Gen6, Gen7 and Gen7-NSv firewalls are at risk. Versions 6.5.5.1-6n, 7.0.1-5165 and 7.1.3-7015 are protected against this. All previous versions are vulnerable.
Sonicwall lists this log entry as an indicator of compromise (IoC) for attacks that have already taken place:
ID: [event_ID]
Event: SSL VPN Session
Message Type: Simple Message String
Message: "User [SSLVPN_User]: Reuse SSLVPN session for the no. time(s)"
(des)
