CVE-2024-53704

CVE-2024-53704 is a critical-severity vulnerability in Sonicwall Sonicos with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2025-02-18). The underlying weakness is classified as CWE-287.

Key facts

Description

An Improper Authentication vulnerability in the SSLVPN authentication mechanism allows a remote attacker to bypass authentication.

CVE-2024-53704: SonicWall SonicOS SSLVPN Authentication Bypass

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2024-53704
CVSS v3.1 9.8 (CRITICAL)
EPSS 0.95132 (99.85th percentile)
CWE CWE-287: Improper Authentication
KEV Yes (CISA catalog, added 2025-02-18)
EU Exploited Yes (since 2025-02-18)
Vendor SonicWall
Published 2025-01-09

Summary

CVE-2024-53704 is a critical improper authentication vulnerability in the SSLVPN authentication mechanism of SonicWall SonicOS. A remote attacker can exploit this flaw to bypass authentication entirely, granting unauthorized access to VPN-protected internal networks without valid credentials.

Background

SonicWall SonicOS powers the company's firewall and network security appliances, providing SSLVPN capabilities that enable remote workers to access corporate resources securely. SSLVPN endpoints are typically exposed to the internet, making authentication the primary security boundary. A flaw in this boundary is especially severe because it allows adversaries to bypass the very gatekeeper designed to protect internal infrastructure.

Root Cause

The vulnerability is classified under CWE-287: Improper Authentication. The SonicOS SSLVPN authentication mechanism fails to correctly validate authentication state under certain conditions, allowing an attacker to reach protected resources without presenting valid credentials. This suggests a logic flaw in the session-handling or authentication-state validation code path rather than a memory-corruption issue.

Impact

With a CVSS v3.1 score of 9.8 (CRITICAL), the impact is severe:

  • Attack Vector (AV): Network — exploitable remotely without local access.
  • Attack Complexity (AC): Low — no special conditions or advanced techniques required.
  • Privileges Required (PR): None — no user account needed.
  • User Interaction (UI): None — fully automated exploitation possible.
  • Scope (S): Unchanged — impact remains within the vulnerable component.
  • Confidentiality (C): High — adversaries can access sensitive internal data.
  • Integrity (I): High — adversaries can modify data or configurations.
  • Availability (A): High — adversaries can disrupt services or deploy ransomware.

Successful exploitation effectively collapses the network perimeter for affected devices.

Exploitation Walkthrough (Defensive Perspective)

Ethics Notice: This section is provided for defensive awareness only. Do not attempt to exploit systems you do not own or have explicit authorization to test.

Attackers targeting this vulnerability typically:

  1. Identify externally exposed SonicWall SSLVPN portals (often on TCP 4433 or custom HTTPS ports).
  2. Send crafted requests to the SSLVPN authentication endpoint that manipulate the authentication state validation.
  3. Achieve session establishment without valid credentials, effectively bypassing the login flow.
  4. Pivot into the internal network with the same access level as a legitimate VPN user.

Because the attack complexity is low and no credentials are required, this vulnerability is particularly attractive to opportunistic and targeted threat actors alike.

Affected and Patched Versions

The following SonicWall SonicOS versions and hardware platforms are identified in the vulnerability data as affected:

Affected SonicOS versions:

  • SonicOS 7.1.2-7019
  • SonicOS 8.0.0-8035
  • Additional SonicOS builds may be affected (consult vendor guidance)

Affected hardware families:

  • NSA series: 2700, 3700, 4700, 5700, 6700
  • NSSP series: 10700, 11700, 13700, 15700
  • NSV series: 270, 470, 870
  • TZ series: TZ80, TZ270/270W, TZ370/370W, TZ470/470W, TZ570/570P/570W, TZ670

Patched versions: Specific fixed releases were not provided in the source data. Administrators should consult the SonicWall PSIRT advisory SNWLID-2025-0003 for current patch availability and upgrade paths.

Remediation

  1. Upgrade SonicOS: Apply the latest firmware version provided by SonicWall that addresses CVE-2024-53704. Verify patch applicability against your specific appliance model.
  2. Restrict SSLVPN Access: Limit SSLVPN portal exposure to known IP ranges via firewall rules or geo-restriction where possible.
  3. Enable Multi-Factor Authentication (MFA): While this flaw bypasses authentication entirely, maintaining MFA for all remote access reduces risk from other credential-based attacks.
  4. Monitor for Anomalous VPN Sessions: Review SSLVPN logs for unexpected source IPs, unusual connection times, or sessions that lack corresponding successful login events.
  5. Compensating Controls: If patching is not immediately feasible, consider disabling the SSLVPN service or placing it behind an additional access gateway (e.g., a bastion host or alternative VPN solution) until the fix can be applied.

Detection

  • Log Analysis: Examine SonicOS SSLVPN logs for successful session establishment events that do not have a preceding successful authentication event.
  • Network Monitoring: Alert on new or unusual IP addresses establishing SSLVPN tunnels, particularly from geolocations or ASNs not associated with legitimate remote users.
  • SIEM Rules: Correlate SSLVPN session start events with authentication failure logs; anomalous pairings may indicate bypass attempts.
  • Threat Intelligence: Monitor for indicators associated with known exploitation campaigns targeting SonicWall appliances.

Assessment

CVE-2024-53704 represents a critical perimeter-bypass risk. With an EPSS score of 0.95132 (99.85th percentile) and confirmed inclusion in both the CISA Known Exploited Vulnerabilities catalog and the EU exploited vulnerabilities list, this flaw is under active, real-world exploitation. The combination of network-accessible attack surface, low complexity, and no privilege requirements makes it a textbook critical vulnerability requiring immediate attention.

Key takeaways:

  • Authentication bypass vulnerabilities in edge-facing services are among the highest-impact flaws an organization can face.
  • The high EPSS and confirmed KEV status should elevate this to a patching emergency, not a routine maintenance item.

References

Frequently asked questions

What is CVE-2024-53704?
An Improper Authentication vulnerability in the SSLVPN authentication mechanism allows a remote attacker to bypass authentication.
How severe is CVE-2024-53704?
CVE-2024-53704 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2024-53704 being actively exploited?
Yes. CVE-2024-53704 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2025-02-18, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2024-53704?
CVE-2024-53704 primarily affects Sonicwall Sonicos. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2024-53704?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2024-53704 have an EU (EUVD) identifier?
Yes. CVE-2024-53704 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-52037. It is also flagged as exploited in the EUVD (since 2025-02-18).
When was CVE-2024-53704 published?
CVE-2024-53704 was published on 2025-01-09 and last updated on 2026-06-17.

References

Affected products (3)

More vulnerabilities in Sonicwall Sonicos

All CVEs affecting Sonicwall Sonicos →

Other CWE-287 (Improper Authentication) vulnerabilities

Browse all CWE-287 (Improper Authentication) vulnerabilities →