SonicWall VPN flaw could allow hackers to hijack your sessions, so patch now

A VPN runs on a mobile phone placed on a laptop keyboard

(Image credit: Getty Images)

Bishop Fox found a way to abuse a SonicWall VPN flaw
It allows threat actors to bypass authentication and hijack sessions
There are thousands of vulnerable endpoints

A major vulnerability in the SonicWall VPN which can be exploited to hijack sessions and access the target network has now seen its first proof-of-concept (PoC) attack, meaning it’s only a matter of time before cybercriminals start exploiting it in the wild.

In early January 2025, SonicWall raised the alarm on a vulnerability in SonicOS and urged its users to apply the fix immediately. The flaw is tracked as CVE-2024-53704, and described as an Improper Authentication bug in the SSLVPN authentication mechanism. It was given a severity score of 9.8/10 (critical) and was said it could be abused to allow a remote attacker to bypass authentication.

It impacted SonicOS versions 7.1.x (up to 7.1.1-7058), 7.1.2-7019, and 8.0.0-8035. SonicWall released versions SonicOS 8.0.0-8037 and later, 7.0.1-5165 and higher, 7.1.3-7015 and higher, and 6.5.5.1-6n and higher, to address the bug. At the time, there were more than 4,500 internet-exposed endpoints.

Proof of Concept

Now, since SonicWall users were given enough time to patch, security researchers from Bishop Fox came forward with more details about the vulnerability, as well as a PoC. After a “significant” reverse-engineering effort, Bishop Fox said the vulnerability could be exploited by sending a custom-built session cookie containing a base64-encoded string of null bytes to the SSLVPN authentication endpoint.

This results in the endpoint assuming the request was associated with an active VPN session and incorrectly validates it. As a result, the target is logged out, while the attacker gets access to the session, including the ability to read the victim’s Virtual Office bookmarks, access VPN client configuration settings, open a VPN tunnel, and more.

"With that, we were able to identify the username and domain of the hijacked session, along with private routes the user was able to access through the SSL VPN," the researchers said.

Via BleepingComputer

This major firmware flaw is affecting Intel-powered PCs across the world
We've rounded up the best password managers
Take a look at our guide to the best authenticator app

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.