Akira Ransomware Exploits SonicWall SSLVPN Flaw (CVE-2024-40766)
SonicWall has issued a warning: the recently patched critical access control vulnerability, tracked as CVE-2024-40766, is now actively exploited in the wild. The flaw, originally thought to impact only SonicOS management access, has now been confirmed to affect the firewall’s SSLVPN feature, making the situation even more dire.
Recent threat activity observed by Arctic Wolf reveals that the notorious Akira ransomware affiliates are leveraging this vulnerability to compromise SSLVPN user accounts on SonicWall devices. The attacks have targeted local accounts with disabled multi-factor authentication (MFA) and vulnerable SonicOS firmware versions.
SonicWall has identified the following products and versions as being susceptible to CVE-2024-40766:
- SonicWall Gen 5 running SonicOS version 5.9.2.14-12o and older – fixed in SonicOS version 5.9.2.14-13o
- SonicWall Gen 6 running SonicOS version 6.5.4.14-109n and older – fixed in 6.5.2.8-2n (for SM9800, NSsp 12400, NSsp 12800) and version 6.5.4.15-116n (for other Gen 6 Firewalls)
- SonicWall Gen 7 running SonicOS version 7.0.1-5035 and older – not reproducible in 7.0.1-5035 and later
SonicWall strongly urges administrators to apply the available patches immediately. In addition to patching, the following mitigation measures are recommended:
- Limit firewall management to trusted sources and disable internet access to the WAN management portal if possible.
- Restrict SSLVPN access to trusted sources only and disable it entirely if not needed.
- For Gen 5 and Gen 6 devices, SSLVPN users with local accounts should update their passwords immediately and administrators should enable the “User must change password” option for local users.
- Enable MFA for all SSLVPN users using TOTP or email-based OTPs.
The active exploitation of CVE-2024-40766 by ransomware groups underscores the critical importance of timely patching and implementing robust security measures. Organizations using affected SonicWall products must take immediate action to protect their networks and data.
