CVE-2024-53704

What is SonicWall SonicOS SSLVPN?

SonicWall SonicOS is the operating system of SonicWall's next-generation firewalls, which include integrated SSLVPN functionality allowing remote workers to connect to corporate networks. SonicWall appliances are widely deployed as perimeter security devices in SMB and enterprise environments. The SSLVPN service is internet-facing by design, making authentication bypass vulnerabilities in it particularly dangerous.

SonicWall appliances have been targeted repeatedly: CVE-2021-20016 (2021 zero-day used by ransomware), CVE-2023-44221 (2023), and CVE-2024-53704 (this CVE) represent a recurring pattern.

Overview

CVE-2024-53704 is an improper authentication vulnerability (CWE-287) in the SonicWall SonicOS SSLVPN authentication mechanism that allows a remote unauthenticated attacker to bypass authentication and gain unauthorized access to the SSLVPN. Fog ransomware and Akira ransomware operators actively exploited this vulnerability after technical analysis and a proof-of-concept were published in February 2025, leading to CISA's KEV listing with a 21-day remediation deadline.

Affected Versions

Technical Details

The improper authentication (CWE-287) in the SSLVPN authentication flow allows an attacker to bypass authentication checks and obtain a valid VPN session without presenting valid credentials. The exact mechanism involves manipulating the SSLVPN authentication flow such that session validation is bypassed — the attacker receives a valid session token without going through the credential verification step.

With a valid SSLVPN session, the attacker gains:

• Network access to internal resources accessible through the VPN
• The ability to appear as a legitimate authenticated VPN user in logs
• A foothold for lateral movement into the corporate network

Impact scope: SonicWall SSLVPN is used by organizations for remote access — compromising it provides direct access to the internal network as if the attacker were a legitimate remote employee.

Discovery

Not publicly attributed for initial discovery. Bishop Fox published technical analysis on February 12, 2025, which accelerated exploitation by lowering the technical barrier for ransomware operators.

Exploitation Context

Fog ransomware and Akira ransomware operators were confirmed exploiting CVE-2024-53704 following Bishop Fox's February 2025 analysis. Both ransomware groups target SMB and mid-market organizations across multiple industries. CISA added to KEV on February 18, 2025 — six days after the technical analysis was published, reflecting rapid exploitation in the wild.

The ransomwareUse: true flag confirms direct ransomware deployment following SSLVPN authentication bypass.

Remediation

1. Apply SonicWall SonicOS patches per the version table above immediately. The CISA deadline was March 11, 2025.
2. Enable Multi-Factor Authentication for SSLVPN — even if the authentication bypass is patched, MFA adds a second factor that prevents credential-based attacks and reduces the impact of future authentication vulnerabilities.
3. Restrict SSLVPN access to known IP ranges where feasible — geo-blocking or IP allowlisting reduces exposure to opportunistic scanning.
4. Audit SSLVPN session logs for authentication events without corresponding valid credential submissions — indicators of authentication bypass exploitation.
5. Review network access logs for VPN sessions from unexpected source IP addresses or times, which could indicate unauthorized access using bypassed authentication.