A critical authentication bypass affecting SonicWall’s SonicOS SSLVPN has now been exploited in the wild, CISA has warned.
The Improper Authentication vulnerability, tracked as CVE-2024-53704, was first reported through the Zero Day Initiative in January and allows remote attackers to bypass authentication to hijack existing authenticated client SSLVPN sessions in a potential RCE.
After evidence of active exploitation, CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog (KEV), alongside a separate authentication bypass issue affecting Palo Alto’s PAN-OS software, CVE-2025-0108.
The SonicOS vulnerability has given particular rise to concern by experts given the SSLVPN’s frequent exposure to public internet.
Analysis by cybersecurity platform Rapid7 found that “multi-factor authentication is bypassed during exploitation, facilitating initial access even via accounts with MFA enabled.”
According to ZDI’s advisory from January, which credits the vulnerability to Daan Keuper, Thijs Alkemade and Khaled Nasser of Computest Security, the flaw exists within the processing of Base64-encoded session cookies.
Affected customers are able to fix the vulnerability with patches published by SonicWall in its initial security advisory, alongside fixes for three other SonicOS issues, with the company urging those unable to apply a firmware update to disable SSLVPN and seek further support.
Meanwhile, the vulnerability affecting Palo Alto’s PAN-OS was first reported just earlier this month by the company’s own research team and Adam Kues from Assetnote.
As Palo Alto warns, it allows an unauthenticated attacker with network access to PAN-OS’ management web interface to bypass authentication and invoke specific PHP scripts.
Kevin Robertson, CTO of cybersecurity firm Acumen Cyber, warned that “This level of access would allow attackers to modify configurations, bypass security controls and move laterally within an organisation's network.”
Palo Alto advises customers that risk of the issue can be reduced by restricting access to the management web interface while upgrading a PAN-OS to the latest version should also fix the flaw.
The issue comes just a few months after CISA warned of a critical authentication vulnerability with another Palo Alto product, its Expedition migration tool, adding CVE-2024-5910 to KEVC in November.
It also follows exploitation in the wild this year of Fortinet (CVE-2024-55591) and Ivanti (CVE-2025-0282) appliances – and comes as the Five Eyes intelligence community published guidance on February 4 focused on protecting such network assets and ramped up pressure on vendors to improve product security.
See also: Sophos attackers breached intelligence agency, wrote code to survive firmware updates
As the UK's NCSC put it earlier this month: "Network devices and appliances are prime targets for malicious actors because they play a crucial role managing and processing traffic. When targeting these devices, malicious actors have exploited vulnerabilities and insecure design features to gain and maintain valuable accesses. These actors can remain inside networks until detected and denied access."
The agency added: "Devices and appliances should support full non-volatile storage collection of the entire data storage capability of the device, ideally through standard interfaces. A system owner should be able to decrypt the contents of the stored data, potentially involving vendor support, to inspect it with standard tools where possible and where the security risks of being able to do is managed.
"Initial configuration of the system may be required to make this possible, for example ‘bring your own key’. It is recommended that protection of keys be a primary consideration. Additionally, for physical devices, the device’s firmware and hardware should be designed to prevent unauthorised data extraction, such as implementing secure boot processes, Trusted Platform Module (TPM) integration and disabling unnecessary physical interfaces that could be exploited. Any interfaces used for non-volatile data collection should require strong authentication and authorisation controls to prevent misuse."
