SonicWall Capture Labs found a vulnerability with the Artica Proxy appliance. This vulnerability affects over 100K servers globally. Artica Proxy is a proxy solution that performs tasks like web filtering, SSL inspection, and bandwidth management. SonicWall has developed measures to mitigate the vulnerability.
There is a security vulnerability called CVE-2024-2054 in the administrative web interface. It allows users to execute code without authentication, which can lead to the execution of code under the “www-data” user account. The severity score is 9.8. This affects version 4.50 and earlier versions. Although there are currently no reports of active attacks, there is a publicly available proof of concept provided by the Korelogic research team.
Apple has issued an urgent security advisory about 3 critical zero-day vulnerabilities—CVE-2025-24200, CVE-2025-24201, and CVE-2025-24085—that are being actively exploited in...
Canon has announced a critical security vulnerability, CVE-2025-1268, in printer drivers for its production printers, multifunction printers, and laser printers....
Cybersecurity researcher Jeremiah Fowler recently revealed a sensitive data exposure involving the Australian fintech company Vroom by YouX, previously known...
The vendor has not released a patch yet. Organizations are strongly advised to follow the steps in the mitigation section below. SonicWall customers are already protected with IPS signature 19786, released on March 18th.
Technical Overview:
An unauthenticated user can send an HTTP POST request to the “/wizard/wiz.wizard.progress.php” endpoint with the “build-js” query parameter.
Figure 1: wiz.wizard.progress.php lines 10-16
During the “build-js” user input processing, it decodes the base64 value and sends it to the “unserialize” PHP function. This is depicted in Figure 2.
Figure 2: wiz.wizard.progress.php buld.js function
This is the root cause of the vulnerability, as an unauthenticated attacker can control the base64 encoded input which is then directly deserialized.
Triggering the Vulnerability:
To exploit this vulnerability, an attacker needs to send an HTTP POST request to the Artica Proxy instance with the manipulated “build-js” parameter set to a base64-encoded payload. The public PoC code demonstrates this using the Linux “curl” command as shown in Figure 3.