Authentication bypass vulnerabilities in SonicWall SonicOS SSLVPN and Palo Alto Networks PAN-OS have been added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the agency said Tuesday.
The SonicOS SSLVPN flaw tracked as CVE-2024-53704, which was given a critical CVSS score of 9.8 by the National Institute of Standards and Technology (NIST), enables a remote attacker to hijack SSLVPN sessions and gain unauthorized access to the victim’s network.
The PAN-OS vulnerability tracked as CVE-2025-0108, with a high CVSS-B score of 8.8, allows remote attackers with network access to the PAN-OS management web interface to bypass authentication and invoke certain PHP scripts.
The flaws’ addition to the KEV catalog gives federal civilian executive branch (FCEB) agencies until March 11, 2025, to resolve the flaws.
The SonicOS SSLVPN flaw affects versions 8.0.0-8035, 7.1.2-7019, and 7.1.1-7058 and older, and is resolved by installing versions 8.0.0-8037 and later, 7.0.1-51655 and later, 7.1.3-7015 and later, or 6.5.5.1-6n and later.
The PAN-OS flaw impacts all versions of 10.1 prior to 10.1.14-h9, all versions of 10.2 prior to 10.2.13-h3, all versions of 11.1 prior to 11.1.6-h1 and all versions of 11.2 prior to 11.2.4-h4.
Exploit code available for SonicWall flaw, Palo Alto flaw chained with past bugs
A proof-of-concept (PoC) exploit for SonicWall SonicOS SSLVPN CVE-2024-53704 was published by BishopFox on Feb. 10, 2025. BishopFox researchers reverse-engineered the flaw and discovered that an improper session validation could be achieved by sending a specially crafted session cookie containing a base64-encoded null bytes string to the SSLVPN authentication endpoint “/cgi-bin/sslvpnclient.”
This exploit enables an attacker to hijack the SSLVPN session, log other users out of the firewall and gain unauthorized access to the victim network. Exploit attempts against SonicOS firewalls vulnerability to CVE-2024-53704 began shortly after the PoC exploit was published, according to Arctic Wolf.
A Shodan search conducted by Qualys discovered more than 11,000 internet-exposed SonicOS instances as of Feb. 19, with nearly 6,500 in the United States.
Palo Alto Networks updated its security advisory for CVE-2025-0108 on Tuesday, noting that attackers were attempting to chain CVE-2025-0108 with older flaws CVE-2024-9474 and CVE-2025-0111.
CVE-2024-9474 is a privilege escalation vulnerability in PAN-OS that was previously added to the KEV catalog in November 2024. CVE-2025-0111 is a high-severity authenticated file read vulnerability that allows remote authenticated attackers to read files on the PAN-OS file system that are readable by the “nobody” user, Palo Alto Networks said in an advisory.
GreyNoise noted in a blog post Tuesday that at least 25 malicious IP addresses have been targeting CVE-2025-0108. GreyNoise previously spotted two IPs attempting to exploit that flaw on Feb. 13, one day after the vulnerability was disclosed.
