February 21 Advisory: SonicOS SSLVPN Vulnerability Added to CISA KEV [CVE-2024-53704]

Date of Disclosure (source): January 7, 2025
Date Reported as Actively Exploited (source): February 18, 2025

CVE-2024-53704 is a critical vulnerability affecting SonicWall TZ, NSa, NSsp series firewalls and NSv series virtual firewalls, with CVSS scores ranging from 8.2 (assigned by CISA) to 9.8 (assigned by NVD). A complete breakdown of the affected models and versions is available in the table below and in SonicWall’s security advisory. 

If successfully exploited, CVE-2024-53704 allows a remote attacker to bypass authentication due to a flaw in the SSLVPN authentication mechanism of select SonicWall firewall models. 

Thanks to researchers from Bishop Fox, the flaw was identified in the improper handling of base64-encoded session cookies in the authentication mechanism. Specifically, the getSslvpnSessionFromCookie function fails to properly verify session cookies, allowing attackers to hijack active sessions without credentials. 

This vulnerability is known to be actively exploited, and was added to CISA KEV on February 18, 2025. 

Field	Details
CVE-ID	CVE-2024-53704 – CVSS 9.8 (critical) – assigned by NVD
Vulnerability Description	An authentication bypass vulnerability in the SSL VPN authentication mechanism of select SonicWall firewall models. The flaw stems from improper handling of Base64-encoded session cookies in the getSslvpnSessionFromCookie function, which fails to properly verify session cookies. This allows a remote attacker to hijack active SSL VPN sessions without credentials.
Date of Disclosure	January 7, 2025
Affected Assets	The getSsLvpnSessionFromCookie function of the SSLVPN authentication mechanism in various SonicWall TZ/NSa/NSsp/NSv series firewalls.
Vulnerable Software Versions	Gen7 TZ-Series firewalls (TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670) 7.1.x, 7.1.1-7058 and older versions, and version 7.1.2-7019. Gen7 NSa-Series firewalls (NSa 2700, NSa 3700,NSa 4700, NSa 5700, NSa 6700) 7.1.x, 7.1.1-7058 and older versions, and version 7.1.2-7019. Gen7 NSsp-Series firewalls (NSsp 10700, NSsp 11700, NSsp 13700, NSsp 15700) 7.1.x, 7.1.1-7058 and older versions, and version 7.1.2-7019. Gen7 NSv-Series virtual firewalls (NSv 270, NSv 470, NSv 870) 7.1.x, 7.1.1-7058 and older versions, and version 7.1.2-7019. TZ80 Firewall version 8.0.0-8035.
PoC Available?	A detailed writeup of the vulnerability by researchers from Bishop Fox is available here. Additionally, there are multiple PoC exploit code snippets available on GitHub.
Exploitation Status	This vulnerability is known to be actively exploited and was added to CISA KEV on February 18, 2025.
Patch Status	This vulnerability has been patched, and SonicWall’s advisory includes a table listing the fixed platforms and their patched versions.

Censys Perspective

At the time of writing, Censys observed 5,065 exposed instances of a TZ, NSa, NSsp, or NSv series firewall. Of these 5,065 instances, 462 exposed both a vulnerable model number and a vulnerable version. 

Map of Exposed Vulnerable Sonicwall TZ/NSa/NSsp/NSv Series Firewalls:

Censys Search Query:

services.software: (vendor="SonicWall" and product:{"TZ","NSa","NSsp","NSv"}) and not labels: {tarpit, honeypot}

Censys ASM Query:

host.services.software: (vendor="SonicWall" and product:{"TZ","NSa","NSsp","NSv"}) and not host.labels: {tarpit, honeypot}

Censys Platform Query:

host.services.hardware: (vendor:"SonicWall" and product:{"TZ","NSa","NSsp","NSv"}) and not host.labels.value: {"TARPIT", "HONEYPOT"}

References

• SonicWall Security Advisory
• CVE-2024-53704 NVD Advisory
• SonicWall CVE-2024-53704: SSL VPN Session Hijacking (Bishop Fox)