SonicWall has announced that the operators of the Akira ransomware exploited an old vulnerability in recent attacks on 7th-generation SonicWall firewalls with SSL VPN enabled. It was previously believed that the attackers were using a zero-day vulnerability.
After conducting an internal investigation and examining 40 incidents, the company concluded that hackers exploited the CVE-2024-40766 vulnerability, which is associated with unauthorized access and was patched back in August 2024.
“We are now confident that the recent activity surrounding SSL VPN was not related to a zero-day vulnerability,” stated SonicWall. “On the contrary, there is a clear correlation with the issue CVE-2024-40766, which was previously disclosed and documented in our publicly available bulletin SNWLID-2024-0015.”
CVE-2024-40766 is a critical access control vulnerability in SSL VPN within SonicOS. It allows unauthorized access to vulnerable endpoints, enabling attackers to hijack sessions or gain VPN access in secured environments.
Last year, following the disclosure of this vulnerability, it was actively exploited by hackers, including ransomware operators (Akira and Fog), who used it to compromise corporate networks.
Recall that last week, specialists from Arctic Wolf warned that since July 15, 2025, they have been detecting attacks involving the Akira ransomware. They suggested that criminals may be exploiting a zero-day vulnerability in SonicWall’s 7th generation firewalls in this campaign.
Soon these findings were confirmed by specialists from Huntress, who published their own report containing indicators of compromise collected during the study of this campaign.
Experts have advised administrators to temporarily disable SonicWall SSL VPN services due to the high likelihood that a vulnerability related to them is being exploited in attacks.
As now stated by SonicWall, the attacks by Akira actually affected users who did not follow the manufacturer’s recommendations for protection against CVE-2024-40766 when transitioning from 6th generation firewalls to 7th generation firewalls.
“Many incidents are associated with the migration from Gen 6 firewalls to Gen 7, where local user passwords were transferred during migration and not reset,” the experts explain. “Resetting passwords was an important step mentioned in the original security bulletin.”
The company now recommends updating the firmware to version 7.3.0 or later, where MFA (multi-factor authentication) and brute-force protection have been strengthened. It also advises resetting all local user passwords, especially those used for SSL VPN.
It should be noted that Reddit users believe the manufacturer’s statements may not be entirely accurate and clearly do not align with their own experiences. For instance, some individuals report that the breach was associated with accounts that did not even exist until the migration to 7th generation firewalls. Others claim that SonicWall representatives refused to analyze the logs provided to them.