Threat actors started exploiting a recent SonicWall firewall vulnerability this week, shortly after proof-of-concept (PoC) code targeting it was published, cybersecurity firm Arctic Wolf reports.

The flaw, tracked as CVE-2024-53704, is a high-severity authentication bypass caused by an issue in the SSLVPN authentication mechanism of SonicOS.

SonicWall announced in early January that patches for this bug and another authentication bypass issue, tracked as CVE-2024-40762, were included in SonicOS versions 7.1.3-7015 and 8.0.0-8037, saying that it had no evidence of either of them being exploited in attacks.

According to Arctic Wolf, the malicious activity targeting CVE-2024-53704 started this week, shortly after Bishop Fox published technical details and a PoC exploit for it.

“Shortly after the PoC was made public, Arctic Wolf began observing exploitation attempts of this vulnerability in the threat landscape,” the cybersecurity firm notes.

Arctic Wolf explains that the public PoC enables unauthenticated attackers to bypass multi-factor authentication (MFA) protections, access private information, and interrupt VPN sessions.

“Historically, threat actors have leveraged authentication bypass vulnerabilities on firewall and VPN gateways to deploy ransomware. In late 2024, Arctic Wolf observed Akira ransomware affiliates targeting SSL VPN user accounts on SonicWall devices as an initial access vector,” the security firm notes.

According to Bishop Fox, approximately 4,500 internet-facing SonicWall SSL VPN servers had not been patched against CVE-2024-53704 by February 7.

Organizations are advised to update their appliances as soon as possible, or to apply the mitigations described in SonicWall’s advisory, which has been updated to warn of the public PoC.

“PoCs for the SonicOS SSLVPN Authentication Bypass Vulnerability (CVE-2024-53704) are now publicly available. This significantly increases the risk of exploitation. Customers must immediately update all unpatched firewalls (7.1.x & 8.0.0). If applying the firmware update is not possible, disable SSLVPN,” SonicWall notes.

Related: Infostealer Masquerades as PoC Code Targeting Recent LDAP Vulnerability

Related: Critical Zimbra Vulnerability Exploited One Day After PoC Release

Related: CISA Warns of PoC Exploit for Vulnerability in RAD SecFlow-2 Industrial Switch

Related: Exploitation of Palo Alto Firewall Vulnerability Picking Up After PoC Release