Palo Alto Networks and SonicWall Firewalls Under Attack
Palo Alto Networks and SonicWall customers are being advised to patch their products, after it emerged that threat actors are actively exploiting vulnerabilities in both.
SonicWall first detailed authentication bypass bug CVE-2024-53704 in a security update on January 7. It impacts the firm’s SonicOS, which powers various firewall devices.
“An improper authentication vulnerability in the SSL VPN authentication mechanism allows a remote attacker to bypass authentication,” it warned of the CVSS 8.2-rated vulnerability.
The vendor’s security advisory was updated last week with a warning that proof-of-concepts (PoCs) for the vulnerability are now publicly available.
“This significantly increases the risk of exploitation,” it said. “Customers must immediately update all unpatched firewalls (7.1.x & 8.0.0). If applying the firmware update is not possible, disable SSLVPN. For further assistance, please contact SonicWall support.”
Read more on firewall threats: Fortinet Confirms Critical Zero-Day Vulnerability in Firewalls
Towards the end of the week. At least one security vendor said it had seen signs of exploitation in the wild.
“The released PoC exploit allows an unauthenticated threat actor to bypass MFA, disclose private information, and interrupt running VPN sessions,” noted Arctic Wolf. “Historically, threat actors have leveraged authentication bypass vulnerabilities on firewall and VPN gateways to deploy ransomware.”
Separately, threat actors also appear to be targeting firewalls from Palo Alto Networks.
The vendor released a security update on February 12, detailing how CVE-2025-0108 impacts the PAN-OS management web interface.
“An authentication bypass in the Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to bypass the authentication otherwise required by the PAN-OS management web interface and invoke certain PHP scripts,” it explained.
“While invoking these PHP scripts does not enable remote code execution, it can negatively impact integrity and confidentiality of PAN-OS.”
Time for an Upgrade
Although workarounds are available, Palo Alto urged customers to upgrade to a supported, fixed version of the product.
While the vendor claimed at the time of its security update it was “not aware of any malicious exploitation of this issue,” security researchers warned of new threat activity late last week. At the time of writing, at least 20 observed IPs were trying to exploit the vulnerability in attacks, according to GreyNoise.
Edge devices like firewalls are increasingly popular targets for attack, given their location at the gateway to trusted networks.
Earlier this month, GCHQ’s National Cyber Security Centre (NCSC) and allies in Australia, Canada, New Zealand and the US published new guidance for edge device manufacturers, designed to improve security standards.
