Cyber Resilience

CVE-2024-53703

High

Published: 05 December 2024

Published
05 December 2024
Modified
04 November 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2915 96.7th percentile
Risk Priority 34 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-53703 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Sonicwall Sma 200 Firmware. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 3.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A vulnerability tracked as CVE-2024-53703 exists in the mod_httprp library loaded by the Apache web server on SonicWall SMA100 SSLVPN firmware versions 10.2.1.13-72sv and earlier. The flaw is a stack-based buffer overflow (CWE-121) that received a CVSS 3.1 score of 8.1 reflecting network attack vector, high complexity, and no requirements for privileges or user interaction.

Remote unauthenticated attackers can trigger the overflow to achieve arbitrary code execution with high impact on confidentiality, integrity, and availability. The current and peak EPSS score of 0.2915 indicates sustained exploitation interest since disclosure.

The vendor advisory at https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0018 addresses the issue for affected SMA100 appliances.

EU & UK References

Vulnerability details

A vulnerability in the SonicWall SMA100 SSLVPN firmware 10.2.1.13-72sv and earlier versions mod_httprp library loaded by the Apache web server allows remote attackers to cause Stack-based buffer overflow and potentially lead to code execution.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sonicwall
sma 200 firmware
≤ 10.2.1.14-75sv
sonicwall
sma 210 firmware
≤ 10.2.1.14-75sv
sonicwall
sma 400 firmware
≤ 10.2.1.14-75sv
sonicwall
sma 410 firmware
≤ 10.2.1.14-75sv
sonicwall
sma 500v firmware
≤ 10.2.1.14-75sv

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References