Exploitation of vulnerabilities in SonicWall firewalls tied to ransomware assaults
In a concerning development for enterprise security, a critical vulnerability known as CVE-2024-40766 has been actively exploited in SonicWall SonicOS software, powering their firewalls. This vulnerability, which has a CVSS score of 9.3, indicating high severity, has been used by ransomware groups such as Fog and Akira to infiltrate enterprise networks [2].
The exploitation of CVE-2024-40766 allows threat actors to gain unauthorized access to SonicWall SonicOS management access and SSL VPN, potentially leading to internal network access and the installation of persistent backdoors and rootkits like OVERSTEP [3]. These intrusions facilitate credential exfiltration and ransomware deployment, severely compromising enterprise network integrity and data security [3][2].
Recent reports indicate that attackers have exploited this vulnerability to establish malicious SSL VPN sessions on targeted SonicWall SMA (Secure Mobile Access) devices. Cybersecurity insurance firm At-Bay reported that remote-access tools were the primary intrusion point for ransomware attacks, accounting for 3 in 5 attacks last year [6].
SonicWall urges customers to urgently patch affected SMA 100 Series devices to remediate the risk, as unpatched systems remain vulnerable to exploitation that can result in persistent backdoor installations and ransomware attacks [1][4]. Although SonicWall has fixed a similar critical flaw (CVE-2025-40599) recently, exploitation of CVE-2024-40766 remains a current and active issue [1][2].
The vulnerability impacts SonicWall Gen 5, Gen 6, and Gen 7 devices running SonicOS version 7.0.1-5035 or older. Upgrading to the latest supported SonicOS versions is strongly encouraged for SonicWall customers [5].
It is important to note that, while there is evidence linking several attacks to CVE-2024-40766 exploits, Rapid7 described this evidence as circumstantial, and there isn't enough evidence to attribute malicious activity to the exploited vulnerability with high confidence [3][4].
In a related development, the Cybersecurity and Infrastructure Security Agency added the vulnerability to their known exploited vulnerabilities catalog on Monday [7].
In the past couple of years, vulnerabilities in network edge devices from Barracuda, Citrix, Fortinet, Ivanti, and Palo Alto Networks have been widely exploited, underscoring the importance of timely patching and vigilant network security practices [8].
SonicWall firewalls are a valuable target for both financially motivated and advanced persistent threat adversaries, making it crucial for organisations to prioritise their security measures [9]. Multifactor authentication was disabled for all compromised accounts on local SonicWall firewalls, according to Arctic Wolf [10].
In conclusion, the active exploitation of CVE-2024-40766 poses a significant threat to organisational security, necessitating immediate action to patch affected systems and conduct forensic analysis to mitigate the threat.
- The exploitation of CVE-2024-40766, a high-severity vulnerability in SonicWall's SonicOS software, has been used by ransomware groups such as Fog and Akira to infiltrate enterprise networks, potentially leading to internal network access, the installation of persistent backdoors and rootkits, and ransomware deployment.
- Cybersecurity insurance firm At-Bay reported that remote-access tools were the primary intrusion point for ransomware attacks, accounting for 3 in 5 attacks last year, highlighting the importance of addressing vulnerabilities like CVE-2024-40766 to secure technology infrastructure.
- SonicWall's firewalls are valuable targets for financially motivated and advanced persistent threat adversaries, making it crucial for organizations to prioritize their cybersecurity measures, implement multifactor authentication, and promptly apply patches to protect their systems from exploitation.
