SonicWall has revealed that the recent spike in activity targeting its Gen 7 and newer firewalls with SSL VPN enabled is related to an older, now-patched bug and password reuse.
"We now have high confidence that the recent SSL VPN activity is not connected to a zero-day vulnerability," the company said. "Instead, there is a significant correlation with threat activity related to CVE-2024-40766."
CVE-2024-40766 (CVSS score: 9.3) was first disclosed by SonicWall in August 2024, calling it an improper access control issue that could allow malicious actors unauthorized access to the devices.
"An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and, in specific conditions, causing the firewall to crash," it noted in an advisory at the time.
SonicWall also said it's investigating less than 40 incidents related to this activity, and that many of the incidents are related to migrations from Gen 6 to Gen 7 firewalls without resetting the local user passwords, a crucial recommended action as part of CVE-2024-40766.
Furthermore, the company pointed out that SonicOS 7.3 has additional protection against brute-force password and multi-factor authentication (MFA) attacks. The updated guidance offered by the company is below -
- Update firmware to SonicOS version 7.3.0
- Reset all local user account passwords for any accounts with SSLVPN access, particularly those that were carried over during migration from Gen 6 to Gen 7
- Enable Botnet Protection and Geo-IP Filtering
- Enforce MFA and strong password policies
- Remove unused or inactive user accounts
The development comes as multiple security vendors reported observing a surge in attacks exploiting SonicWall SSL VPN appliances for Akira ransomware attacks.
Last year, Arctic Wolf disclosed that threat actors associated with Akira and Fog are targeting SonicWall SSL VPNs that are unpatched against CVE-2024-40766 to breach victim networks between August and mid-October 2024.
Cybersecurity company Huntress told The Hacker News that it continues to see organizations impacted by threat actors targeting SonicWall Gen 7 firewall appliances, adding a total of at least 28 incidents have been recorded from this activity cluster as of August 6, 2025.
