SonicWall finds no SSLVPN zero-day, links ransomware attacks to 2024 flaw

SonicWall says that recent Akira ransomware attacks exploiting Gen 7 firewalls with SSLVPN enabled are exploiting an older vulnerability rather than a zero-day flaw.

The company says that the attackers are targeting CVE-2024-40766, an unauthorized access flaw fixed in August 2024.

“We now have high confidence that the recent SSLVPN activity is not connected to a zero-day vulnerability,” reads the update on the SonicWall bulletin published this week.

“Instead, there is a significant correlation with threat activity related to CVE-2024-40766, which was previously disclosed and documented in our public advisory SNWLID-2024-0015.”

CVE‑2024‑40766 is a critical SSLVPN access control flaw in SonicOS, allowing unauthorized access to vulnerable endpoints, enabling attackers to hijack sessions or gain VPN access in protected environments.

The flaw was exploited extensively following its disclosure roughly a year ago, including by Akira and Fog ransomware operators who leveraged it to breach corporate networks.

On Friday, Arctic Wolf Labs first hinted at the potential existence of a zero-day vulnerability in SonicWall Gen 7 firewalls, after noticing Akira ransomware attack patterns that supported this assumption.

SonicWall quickly confirmed that it is aware of an ongoing campaign, and advised customers to turn off SSL VPN services and limit connectivity to trusted IP addresses until the situation clears up.

Following internal investigations on 40 incidents, the vendor now disputes the possibility of attackers exploiting a zero-day vulnerability in its products.

Instead, SonicWall says the Akira attacks are targeting endpoints that did not follow the recommended course of action for mitigating CVE-2024-40766 when migrating from Gen 6 to Gen 7 firewalls.

“Many of the incidents relate to migrations from Gen 6 to Gen 7 firewalls, where local user passwords were carried over during the migration and not reset,” explains SonicWall.

“Resetting passwords was a critical step outlined in the original advisory.”

The recommended action now is to update firmware to version 7.3.0 or later, which has stronger brute-force and MFA protections, and reset all local user passwords, especially those used for SSLVPN.

As SonicWall also emailed customers this latest update, many took to Reddit to express their doubts about the accuracy of the vendor’s claims, saying that not everything in it checks out with their own experience.

Some noted that they had breaches on accounts that didn’t exist before migrating to Gen 7 firewalls, and even claimed that SonicWall declined to examine their logs.

These contradicting reports, combined with the ambiguous wording SonicWall used in its update, leave room for uncertainty, so vigilance and immediate application of the recommended measures remain crucial.