{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/gen7-sonicos-cloud-nsv-azure/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:o:sonicwall:sonicos:*:*:*:*:*:*:*:*","cpe:2.3:o:sonicwall:sonicos:7.1.2-7019:*:*:*:*:*:*:*","cpe:2.3:o:sonicwall:sonicos:8.0.0-8035:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":9.8,"id":"CVE-2024-40762"},{"cvss":9.8,"id":"CVE-2024-53704"},{"cvss":7.5,"id":"CVE-2024-53705"},{"cvss":7.8,"id":"CVE-2024-53706"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Gen6 Hardware Firewalls","Gen7 Firewalls","Gen7 NSv","TZ80","Gen7 SonicOS Cloud NSv AWS","Gen7 SonicOS Cloud NSv Azure"],"_cs_severities":["critical"],"_cs_tags":["sonicwall","firewall","rce","authentication-bypass","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["SonicWall"],"content_html":"\u003cp\u003eSonicWall has disclosed several vulnerabilities affecting their Gen6 and Gen7 hardware firewalls, NSv, TZ80, and SonicOS. These vulnerabilities, including CVE-2024-40762, CVE-2024-53704, CVE-2024-53705, and CVE-2024-53706, range from authentication bypass to remote code execution and privilege escalation. SonicWall devices are often deployed as perimeter security solutions, making them attractive targets for threat actors seeking initial access to internal networks. Reports indicate that ransomware groups, such as Akira and Fog, are actively exploiting previous SonicWall vulnerabilities. A proof-of-concept exploit has been published for CVE-2024-53704 as of February 10, 2025, increasing the likelihood of exploitation. CISA added CVE-2024-53704 to their Known Exploited Vulnerabilities Catalog on February 18, 2025.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable SonicWall device exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits CVE-2024-53704, an improper authentication flaw in the SSLVPN mechanism, to bypass authentication.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker exploits CVE-2024-40762, predicting SSLVPN tokens to bypass authentication.\u003c/li\u003e\n\u003cli\u003eIf SSH management interface is accessible, attacker exploits CVE-2024-53705, an SSRF vulnerability, to create TCP connections to internal IP addresses and ports.\u003c/li\u003e\n\u003cli\u003eIf the device is a Gen7 SonicOS Cloud NSv (AWS/Azure edition), an attacker who has already compromised a low-privileged account escalates to root privileges using CVE-2024-53706.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the gained access to move laterally within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys ransomware or exfiltrates sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eExploitation of these vulnerabilities allows attackers to gain unauthorized access to internal networks. With access to internal networks, attackers can conduct follow-on attacks, including ransomware deployment, data exfiltration, or other malicious activities. The vulnerabilities collectively pose a high impact on confidentiality, integrity, and availability. Ransomware groups like Akira and Fog have historically targeted SonicWall devices.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patches provided by SonicWall immediately to address CVE-2024-40762, CVE-2024-53704, CVE-2024-53705, and CVE-2024-53706 on all affected Gen6 and Gen7 firewalls, NSv, and TZ80 appliances.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious connections originating from SonicWall appliances, especially connections to internal resources, to detect potential exploitation of CVE-2024-53705 as mentioned in the overview.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect suspicious SSLVPN authentication bypass attempts, which may indicate exploitation of CVE-2024-53704 or CVE-2024-40762.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T16:11:08Z","date_published":"2026-05-19T16:11:08Z","id":"https://feed.craftedsignal.io/briefs/2026-05-sonicwall-vulns/","summary":"Multiple vulnerabilities have been disclosed in SonicWall Gen6 and Gen7 firewalls, SonicOS, and NSv that can be exploited for authentication bypass, remote code execution, and privilege escalation, specifically CVE-2024-40762, CVE-2024-53704, CVE-2024-53705, and CVE-2024-53706; a proof of concept exploit is available for CVE-2024-53704, which, if exploited, can lead to internal network access and further attacks, including ransomware deployment.","title":"Multiple Vulnerabilities in SonicWall Firewalls Allow Remote Code Execution and Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-05-sonicwall-vulns/"}],"language":"en","title":"CraftedSignal Threat Feed — Gen7 SonicOS Cloud NSv Azure","version":"https://jsonfeed.org/version/1.1"}