CyberSecurity news

FlagThis - #SonicWall

@ciso2ciso.com //

SonicWall Patches NetExtender VPN Client High Severity Vulnerabilities - SonicWall released patches for NetExtender VPN client vulnerabilities, including CVE-2025-23008 (high severity) and CVE-2025-23009 (improper privilege management), advising users to update to version 10.3.2 or later to mitigate potential risks.
SonicWall has released patches to address three newly discovered vulnerabilities in its NetExtender Windows client, a widely-used VPN tool providing secure remote access to internal networks for organizations. The vulnerabilities affect NetExtender for Windows versions 10.3.1 and earlier, and include a high-severity flaw related to improper privilege management, identified as CVE-2025-23008, with a CVSS score of 7.2. This vulnerability could allow a low-privileged attacker to modify critical configurations, potentially re-routing VPN connections or weakening security settings.

The updates also address two medium-severity vulnerabilities: CVE-2025-23009, a local privilege escalation vulnerability via arbitrary file deletion, and CVE-2025-23010, a link following file access issue. The file deletion flaw could allow attackers to delete arbitrary files on the system, potentially escalating privileges or disrupting services. The symlink vulnerability could allow attackers to manipulate file operations and redirect them to unauthorized locations.

SonicWall strongly advises users of the NetExtender Windows (32 and 64 bit) client to upgrade to version 10.3.2 or later to mitigate these risks. While there is no evidence of active exploitation of these vulnerabilities in the wild, SonicWall notes that its products are often targeted by malicious actors. The NetExtender for Linux client is not affected by these security defects. Organizations are urged to apply the patches promptly to prevent potential unauthorized configuration changes, privilege escalation, or file path manipulation.

Recommended read:
References :
  • ciso2ciso.com: SonicWall Patches High-Severity Vulnerability in NetExtender – Source: www.securityweek.com
  • securityonline.info: SonicWall Patches Multi Vulnerabilities in NetExtender VPN Client
@PCWorld //

New Snake Keylogger Variant Launches Mass Attacks - A new variant of Snake Keylogger is launching over 280 million attacks, primarily impacting users in China, Turkey, Indonesia, Taiwan, and Spain, stealing credentials from browsers like Chrome and exfiltrating data via Telegram Bots.
A new variant of the Snake Keylogger malware is actively targeting Windows users, with over 280 million infection attempts detected globally. Cybersecurity researchers have identified this version, also known as the 404 Keylogger, as AutoIt/Injector.GTY!tr. The primary targets include users in China, Turkey, Indonesia, Taiwan, and Spain, where the malware spreads through phishing emails containing malicious attachments or links. The keylogger steals credentials from popular web browsers like Chrome, Edge, and Firefox by logging keystrokes, capturing screenshots, and monitoring the clipboard.

The stolen data, including sensitive information and credentials, is then exfiltrated to its command-and-control (C2) server through various methods, including SMTP email and Telegram bots. The malware utilizes AutoIt, a scripting language frequently used for Windows automation, to deliver and execute its malicious payload. By using AutoIt, the malware can create standalone executables that may bypass standard antivirus solutions. Once executed, the keylogger copies itself to the %Local_AppData%\supergroup folder, names itself ageless[.]exe, and sets its attributes to hidden and creates “ageless.vbs” in the %Startup% folder.

Recommended read:
References :
  • CyberInsider: New Snake Keylogger Variant Launches 280 Million Attacks
  • hackread.com: New Snake Keylogger Variant Hits Windows, Steals Data via Telegram Bots
  • cyberinsider.com: New Snake Keylogger Variant Launches 280 Million Attacks
  • The Register - Software: Snake Keylogger slithers into Windows, evades detection with AutoIt-compiled payload
  • Talkback Resources: Snake Keylogger Variant Hits Windows, Steals Data via Telegram Bots [net] [mal]
  • The Hacker News: New Snake Keylogger Variant Leverages AutoIt Scripting to Evade Detection
  • PCWorld: This high-risk keylogger malware is a growing threat to Windows users
  • Talkback Resources: New Snake Keylogger infects Windows using AutoIt freeware [mal]
  • www.scworld.com: More advanced Snake Keylogger variant emerges
  • Talkback Resources: New Snake Keylogger infects Windows using AutoIt freeware [mal]
@gbhackers.com //

SonicWall Firewall Authentication Bypass Exploited - SonicWall firewall vulnerability (CVE-2024-53704) is actively exploited, allowing attackers to bypass authentication; users are urged to apply security updates immediately.
A critical authentication bypass vulnerability, identified as CVE-2024-53704, in SonicWall firewalls is under active exploitation. Security firms are warning that attackers are now targeting this flaw following the public release of proof-of-concept exploit code. The vulnerability allows attackers to bypass authentication, posing a significant risk to affected systems.

Security updates are available for download to address the issue, and users are strongly urged to patch their SonicWall firewalls immediately. Attacks are currently taking place, making prompt action essential to mitigate potential exploits. The vulnerability highlights the importance of keeping security infrastructure up-to-date to defend against emerging threats.

Recommended read:
References :
  • BleepingComputer: Attackers are now targeting an authentication bypass vulnerability affecting SonicWall firewalls shortly after the release of proof-of-concept (PoC) exploit code.
  • Anonymous ???????? :af:: Attackers are now targeting an authentication bypass vulnerability affecting SonicWall firewalls shortly after the release of proof-of-concept (PoC) exploit code.
  • heise online English: Patch Sonicwall now! Attackers bypass authentication of firewalls Attacks are currently taking place on Sonicwall firewalls. Security updates are available for download.
@gbhackers.com //

SonicWall Firewall Bug Allows VPN Hijacking - A high-severity authentication bypass vulnerability, CVE-2024-53704, affects SonicWall firewalls, allowing attackers to hijack active SSL VPN sessions and gain unauthorized network access.
SonicWall firewalls are facing a critical threat due to a high-severity authentication bypass vulnerability, identified as CVE-2024-53704. This flaw allows attackers to hijack active SSL VPN sessions, potentially granting them unauthorized access to networks. Bishop Fox researchers discovered nearly 4,500 internet-exposed SonicWall firewalls at risk, highlighting the widespread nature of the vulnerability. The affected SonicOS versions include 7.1.x, 7.1.2-7019, and 8.0.0-8035, which are used in various Gen firewalls.

A proof-of-concept exploit has been released for CVE-2024-53704, increasing the urgency for organizations to apply the necessary patches. The exploit involves sending a specially crafted session cookie to the SSL VPN endpoint, bypassing authentication mechanisms, including multi-factor authentication. By exploiting this vulnerability, attackers can access sensitive internal resources, Virtual Office bookmarks, and VPN client configurations, establishing new VPN tunnels into private networks. SonicWall has urged organizations to immediately apply patches to mitigate the vulnerability.

Recommended read:
References :
  • gbhackers.com: SonicWall firewalls running specific versions of SonicOS are vulnerable to a critical authentication bypass flaw, tracked as CVE-2024-53704, which allows attackers to hijack active SSL VPN sessions. This vulnerability has been classified as high-risk, with a CVSS score of 8.2.
  • MSSP feed for Latest: Nearly 4,500 internet-exposed SonicWall firewalls were discovered by Bishop Fox researchers to be at risk of having their VPN sessions taken over in attacks exploiting a recently patched high-severity authentication bypass flaw within the SonicOS SSLVPN application, tracked as CVE-2024-53704, according to BleepingComputer.
  • cyberpress.org: A critical security flaw, CVE-2024-53704, has been identified in SonicWall’s SonicOS SSLVPN application, enabling remote attackers to bypass authentication and hijack active SSL VPN sessions.
  • securityaffairs.com: Detailed findings and mitigation strategies related to the SonicWall firewall bug.
  • Cyber Security News: SonicWall Firewalls Exploit Let Attackers Remotely Hack Networks Via SSL VPN Sessions Hijack
  • gbhackers.com: SonicWall Firewalls Exploit Hijack SSL VPN Sessions to Gain Networks Access
  • www.bleepingcomputer.com: SonicWall firewall exploit lets hackers hijack VPN sessions, patch now
  • arcticwolf.com: Arctic Wolf Observes Authentication Bypass Exploitation Attempts Targeting SonicWall Firewalls (CVE-2024-53704)
  • Arctic Wolf: Arctic Wolf Observes Authentication Bypass Exploitation Attempts Targeting SonicWall Firewalls (CVE-2024-53704)
  • arcticwolf.com: On February 10, 2025, Bishop Fox published technical details and proof-of-concept (PoC) exploit code for CVE-2024-53704, a high-severity authentication bypass vulnerability caused by a flaw in the SSLVPN authentication mechanism in SonicOS, the operating system used by SonicWall firewalls. Shortly after the PoC was made public, Arctic Wolf began observing exploitation attempts of this vulnerability
  • Arctic Wolf: Arctic Wolf Observes Authentication Bypass Exploitation Attempts Targeting SonicWall Firewalls (CVE-2024-53704)
  • The Register - Security: SonicWall firewalls now under attack: Patch ASAP or risk intrusion via your SSL VPN
  • bishopfox.com: https://bishopfox.com/blog/sonicwall-cve-2024-53704-ssl-vpn-session-hijacking
  • Christoffer S.: Arctic Wolf: Published a blog about observing active exploitation of SonicWALL vulnerability, which Bishop Fox published a PoC for on Feb 10. Unfortunately NO indicators or otherwise actionable intelligence provided beyond active exploitation.
  • BleepingComputer: Attackers are now targeting an authentication bypass vulnerability affecting SonicWall firewalls shortly after the release of proof-of-concept (PoC) exploit code.
  • heise online English: Patch Sonicwall now! Attackers bypass authentication of firewalls Attacks are currently taking place on Sonicwall firewalls. Security updates are available for download.
  • www.bleepingcomputer.com: BleepingComputer reports on attackers exploiting a SonicWall firewall vulnerability after the release of PoC exploit code.
  • Anonymous ???????? :af:: Attackers are now targeting an authentication bypass vulnerability affecting SonicWall firewalls shortly after the release of proof-of-concept (PoC) exploit code.
  • www.heise.de: Heise Online article urging users to patch their SonicWall devices.
  • www.bleepingcomputer.com: Attackers are now targeting an authentication bypass vulnerability affecting SonicWall firewalls shortly after the release of proof-of-concept (PoC) exploit code.
  • securityonline.info: SonicWall Firewalls Under Attack: CVE-2024-53704 Exploited in the Wild, PoC Released

Posts

Blogs

Research Tools