The Akira ransomware gang is actively exploiting CVE-2024-40766, a year-old critical-severity access control vulnerability, to gain unauthorized access to SonicWall devices.
The hackers are leverging the security issue to gain access to target networks via unpatched SonicWall SSL VPN endpoints.
SonicWall released a patch for CVE-2024-40766 last year in August, marking it as actively exploited. The flaw allows unauthorized resource access and can cause firewall crashes.
At the time, SonicWall strongly recommended that applying the update should be accompanied by a password reset for users with locally managed SSLVPN accounts.
Without rotating the passwords after the update, threat actors could use exposed credentials for valid accounts to configure the multi-factor authentication (MFA) or time-based one-time sassword (TOTP) system and gain access.
Akira was among the first ransomware groups to actively exploit it in starting September 2024.
An alert from the Australian Cyber Security Center (ACSC) yesterday warns organizations of the new malicious activity, urging immediate action.
“ASD’s ACSC is aware of a recent increase in active exploitation in Australia of a 2024 critical vulnerability in SonicWall SSL VPNs (CVE-2024-40766),” reads the advisory.
“We are aware of the Akira ransomware targeting vulnerable Australian organizations through SonicWall SSL VPNs,” says the Australian Cyber Security Centre.
Cybersecurity firm Rapid7 has made similar observations, reporting that Akira ransomware attacks on SonicWall devices have recently re-ignited, likely tied to incomplete remediation.
Rapid7 highlights intrusion methods such as exploiting the broad access permission of the Default Users Group to authenticate and connect to the VPN, and the default public access permission for the Virtual Office Portal on SonicWall devices.
It should be noted that this activity has recently generated confusion in the cybersecurity community, with many reporting that ransomware actors are actively exploiting a zero-day vulnerability in SonicWall products.
The vendor published a new security advisory saying that it has “high confidence that the recent SSLVPN activity is not connected to a zero-day vulnerability” and that it found “significant correlation with threat activity related to CVE-2024-40766.”
Last month, SonicWall noted that it was investigating up to 40 security incidents related to this activity.
CVE-2024-40766 impacts the following firewall versions:
- Gen 5: SOHO devices running version 5.9.2.14-12o and older
- Gen 6: Various TZ, NSA, and SM models running versions 6.5.4.14-109n and older
- Gen 7: TZ and NSA models running SonicOS build version 7.0.1-5035 and older
System administrators are recommended to follow the patching and mitigation advice provided by the vendor in the related bulletin.
Admins should update to firmware version 7.3.0 or later, rotate SonicWall account passwords, enforce multi-factor authentication (MFA), mitigate the SSLVPN Default Groups risk, and restrict Virtual Office Portal access to trusted/internal networks.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
