SonicWall has announced that the operators of the Akira ransomware exploited an old vulnerability in recent attacks on 7th-generation SonicWall firewalls with SSL VPN enabled. It was previously believed that the attackers were using a zero-day vulnerability.
After conducting an internal investigation and examining 40 incidents, the company concluded that hackers exploited the CVE-2024-40766 vulnerability, which is associated with unauthorized access and was patched back in August 2024.
“We are now confident that the recent activity surrounding SSL VPN was not related to a zero-day vulnerability,” stated SonicWall. “On the contrary, there is a clear correlation with the issue CVE-2024-40766, which was previously disclosed and documented in our publicly available bulletin SNWLID-2024-0015.”
CVE-2024-40766 is a critical access control vulnerability in SSL VPN within SonicOS. It allows unauthorized access to vulnerable endpoints, enabling attackers to hijack sessions or gain VPN access in secured environments.
Last year, following the disclosure of this vulnerability, it was actively exploited by hackers, including ransomware operators (Akira and Fog), who used it to compromise corporate networks.
Recall that last week, specialists from Arctic Wolf warned that since July 15, 2025, they have been detecting attacks involving the Akira ransomware. They suggested that criminals may be exploiting a zero-day vulnerability in SonicWall’s 7th generation firewalls in this campaign.
Soon these findings were confirmed by specialists from Huntress, who published their own report containing indicators of compromise collected during the study of this campaign.
Experts have advised administrators to temporarily disable SonicWall SSL VPN services due to the high likelihood that a vulnerability related to them is being exploited in attacks.
As now stated by SonicWall, the attacks by Akira actually affected users who did not follow the manufacturer’s recommendations for protection against CVE-2024-40766 when transitioning from 6th generation firewalls to 7th generation firewalls.
“Many incidents are associated with the migration from Gen 6 firewalls to Gen 7, where local user passwords were transferred during migration and not reset,” the experts explain. “Resetting passwords was an important step mentioned in the original security bulletin.”
The company now recommends updating the firmware to version 7.3.0 or later, where MFA (multi-factor authentication) and brute-force protection have been strengthened. It also advises resetting all local user passwords, especially those used for SSL VPN.
It should be noted that Reddit users believe the manufacturer’s statements may not be entirely accurate and clearly do not align with their own experiences. For instance, some individuals report that the breach was associated with accounts that did not even exist until the migration to 7th generation firewalls. Others claim that SonicWall representatives refused to analyze the logs provided to them.
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article →
2025.04.22 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims
According to the FBI, scammers impersonating employees of the FBI Internet Fraud Complaint Center (IC3) contact fraud victims offering them 'assistance' in getting their money…
Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin
Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…
Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management
Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…
Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024
According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…
Full article →
2025.02.05 — Google patches Android zero-day vulnerability exploited by hackers
Google released the February set of patches for Android. In total, they fix 48 bugs, including a kernel zero-day vulnerability actively exploited by hackers. The zero-day's…
Full article →
2025.01.27 — YouTube plays hour-long ads to users with ad blockers
Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…
Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices
The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…
Full article →
2025.04.16 — Android devices will restart every three days to protect user data
Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…
Full article →