Today’s Topics:
- SonicWall Firewall Vulnerability Exploited Following PoC Release
- Chinese APT Exploits New Windows Zero-Day, Security Researchers Warn
- How can Netizen help?
SonicWall Firewall Vulnerability Exploited Following PoC Release
Cybercriminals are actively exploiting a critical authentication bypass vulnerability in SonicWall firewalls (CVE-2024-53704) following the public release of proof-of-concept (PoC) exploit code. The flaw, which affects the SSLVPN authentication mechanism, enables remote attackers to hijack active VPN sessions and gain unauthorized access to corporate networks.
The vulnerability impacts SonicOS versions 7.1.x (up to 7.1.1-7058), 7.1.2-7019, and 8.0.0-8035, which are used across multiple SonicWall Gen 6 and Gen 7 firewall models, as well as SOHO series devices. If exploited, attackers can bypass multi-factor authentication (MFA), disclose sensitive information, and terminate active VPN sessions—posing a significant threat to enterprise security.
SonicWall initially warned customers to update their firewall firmware before publicly disclosing the vulnerability on January 7. Despite this, cybersecurity firm Arctic Wolf has reported detecting exploitation attempts beginning shortly after the PoC exploit became available.
According to Arctic Wolf, the exploit allows unauthenticated attackers to infiltrate corporate networks with minimal effort. “Given the ease of exploitation and available threat intelligence, Arctic Wolf strongly recommends upgrading to a fixed firmware to address this vulnerability,” the company stated.
The PoC exploit was published by security researchers at Bishop Fox on February 10, approximately one month after SonicWall released security patches. Prior to the PoC’s release, internet scans conducted on February 7 revealed that nearly 4,500 unpatched SonicWall SSL VPN servers remained exposed online.
Following the publication of the exploit code, SonicWall issued an urgent advisory reinforcing the importance of updating affected devices. “Proof-of-Concepts (PoCs) for the SonicOS SSLVPN Authentication Bypass Vulnerability (CVE-2024-53704) are now publicly available. This significantly increases the risk of exploitation. Customers must immediately update all unpatched firewalls (7.1.x & 8.0.0). If applying the firmware update is not possible, disable SSLVPN,” SonicWall warned.
This is not the first time SonicWall firewalls have been targeted by threat actors. Ransomware groups such as Akira and Fog have previously leveraged SonicWall VPN vulnerabilities to gain initial network access. In October 2024, Arctic Wolf reported at least 30 ransomware intrusions that began with compromised SonicWall VPN accounts.
Given the increased risk following the release of the PoC, organizations using affected SonicWall devices are strongly urged to apply patches immediately or implement mitigation measures, such as restricting SSLVPN access, to prevent potential attacks.
Chinese APT Exploits New Windows Zero-Day, Security Researchers Warn
Israeli cybersecurity firm ClearSky has identified a previously unknown Windows zero-day vulnerability being actively exploited by the Chinese advanced persistent threat (APT) group Mustang Panda. The firm has yet to disclose full details but confirmed that the flaw remains unpatched and currently lacks a CVE identifier, suggesting it is an emerging security risk.
ClearSky described the vulnerability as a user interface (UI) flaw that allows threat actors to manipulate file visibility when extracting compressed RAR files. According to their research, files extracted from a RAR archive may remain hidden from users when viewed in Windows Explorer, even though they are accessible via the command line.
The attack operates as follows:
- When a user extracts a RAR archive, the extracted files do not appear in Windows Explorer, making it seem as if the folder is empty.
- However, these files remain accessible via the command prompt if their exact paths are known.
- Attackers can execute these hidden files without the user realizing they exist.
- Running the
attrib -s -hcommand on system-protected files generates an ActiveX component classified as an “Unknown” file type, raising concerns about potential abuse in malware delivery.
Microsoft has been informed of the issue but has reportedly classified it as low severity. Given that it enables stealthy file execution, security researchers warn that the vulnerability could be leveraged for espionage, persistence, and malware deployment.
Mustang Panda, the China-linked APT, has a history of targeting government agencies, NGOs, and critical infrastructure worldwide. The group is known for using custom malware and spear-phishing campaigns to gain long-term access to victim networks.
This latest discovery adds to the growing list of Windows vulnerabilities being leveraged by Chinese APTs for cyber espionage and covert operations. If the flaw remains unpatched, it could be used to execute malicious payloads without detection, making it an attractive tool for state-sponsored attacks.
Microsoft’s February Patch Tuesday addressed over 50 vulnerabilities, including two other zero-day exploits:
- CVE-2025-21391 – A Windows Storage privilege escalation flaw that allows attackers to delete system files.
- CVE-2025-21418 – A Windows Ancillary Function driver flaw that permits privilege escalation to system-level access.
While these vulnerabilities received immediate patches, the ClearSky-discovered zero-day remains unresolved, increasing the urgency for a fix.
ClearSky has promised to release further details in an upcoming technical blog post. Meanwhile, security researchers and enterprises are urged to monitor Microsoft’s security advisories and implement workarounds where possible.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
