CISA confirms that SonicWall vulnerability is getting exploited (CVE-2024-40766)
The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-40766 – a recently fixed improper access control vulnerability affecting SonicWall’s firewalls – to its Known Exploited Vulnerabilities catalog, thus confirming it is being actively exploited by attackers.
cve-2024-40766/sonicwall-sonicos-improper-access-control-vulnerability/" title="SonicWall SonicOS Improper Access Control Vulnerability">cve-2024-40766="" "="" title="CVE-2024-40766">CVE-2024-40766 exploited" title="OPIS">
Though the KEV entry does not say that it’s being leveraged in ransomware campaigns, both Arctic Wolf and Rapid7 say that there is indirect evidence pointing to that.
What we know so far
On the same day that SonicWall amended its security advisory to say that CVE-2024-40766 is “potentially being exploited in the wild” and to say that the vulnerability affects the SSLVPN feature as well as the devices’ management access, Arctic Wolf researcher Stefan Hostetler shared that they have observed Akira ransomware affiliates carrying out attacks with an initial access vector involving the compromise of SSLVPN user accounts on SonicWall devices.
“In each instance, the compromised accounts were local to the devices themselves rather than being integrated with a centralized authentication solution such as Microsoft Active Directory. Additionally, MFA was disabled for all compromised accounts, and the SonicOS firmware on the affected devices were within the versions known to be vulnerable to CVE-2024-40766,” he noted.
Rapid7 chimed in on Monday by saying that “as of September 9, 2024, Rapid7 is aware of several recent incidents (both external and Rapid7-observed) in which SonicWall SSLVPN accounts were targeted or compromised, including by ransomware groups.”
“Vulnerabilities like CVE-2024-40766 are frequently used for initial access to victim environments,” the company said, and though evidence linking CVE-2024-40766 to these incidents is still circumstantial, they advised admins to immediately mitigate the threat of exploitation by upgrading to the latest SonicOS firmware version or restricting firewall management and SSLVPN access to trusted sources and disabling internet access whenever possible.
“SonicWall strongly advises that customers using GEN5 and GEN6 firewalls with SSLVPN users who have locally managed accounts immediately update their passwords to enhance security and prevent unauthorized access,” SonicWall also noted, and recommends admins to enable multi-factor authentication for all SSLVPN users.
Experts Identify 3 Chinese-Linked Clusters Behind Cyberattacks in Southeast Asia
Microsoft to start force-upgrading Windows 22H2 systems next month
CVE-2024-20439 Cisco Smart Licensing Utility Static Credential Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2025-30154 reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
InformationalInformation Disclosure - Suspicious Comments
HighPII Disclosure
Free online web security scanner