Increase in ransomware attacks could be due to undiscovered vulnerability in SonicWall hardware
In a concerning turn of events, researchers at Arctic Wolf have identified a series of ransomware attacks targeting SonicWall firewall devices. The attacks, which started on July 15, are suspected to be related to a zero-day vulnerability in SonicWall products, tracked as CVE-2024-40766.
This critical improper access control flaw affects SonicOS software on Gen 5, Gen 6, and early Gen 7 devices. The vulnerability, rated with a CVSS score of 9.3, allows attackers to gain unauthorized access to resources through SonicWall’s SSL VPN feature, potentially enabling network breaches, data exfiltration, and ransomware deployment.
The hackers have been observed compromising SonicWall SSL VPNs before deploying the ransomware. In these attacks, the Akira ransomware variant has been deployed, with the Fog ransomware group also reportedly exploiting this flaw. The attacks target publicly accessible SonicWall SSLVPN devices, many running unsupported firmware versions, placing over 25,000 devices at risk.
Stefan Hostetler, lead threat intelligence researcher at Arctic Wolf, made these observations. He also noted that the attacks morphed into intrusions the following week. However, the investigation by Arctic Wolf is still preliminary, and the researchers have not yet provided extensive details about their investigation.
SonicWall has issued patches since August 2024, urging administrators to immediately update their firmware and restrict management access to trusted sources to mitigate exploitation. Despite patch releases, as of mid-2025, many devices remain vulnerable, leading to ongoing exploitation by ransomware affiliates and threat actors for espionage and financially motivated attacks.
This is not the first time SonicWall devices have been targeted in such attacks. A similar pattern was seen in 2021 with the HelloKitty ransomware group exploiting a comparable flaw. The incidents highlight a consistent trend of targeting SonicWall devices with remote access vulnerabilities.
It should be noted that Arctic Wolf could not rule out the possibility of brute-force attacks or credential stuffing in the recent attacks. SonicWall's spokesperson was not immediately available for comment regarding the recent attacks.
In summary, CVE-2024-40766 is a critical zero-day flaw in SonicWall firewalls exploited by ransomware groups like Akira since July 2025 to breach networks via SSL VPN access, with significant ongoing risk until devices are patched. SonicWall users are strongly advised to update their firmware and implement strict security measures to protect their networks.
- The ongoing ransomware attacks targeting SonicWall firewall devices, such as those by the Akira ransomware variant, are considered a threat to data-and-cloud-computing security, particularly in the field of cybersecurity.
- The critical vulnerability, CVE-2024-40766, which allows unauthorized access through SonicWall’s SSL VPN feature, is related to firewall technology and has been weaponized by cybercriminals for network breaches, data exfiltration, and ransomware deployment.
- Threat intelligence reports suggest that the hackers first compromise SonicWall SSL VPNs before deploying ransomware, often aiming at publicly accessible SonicWall SSLVPN devices running unsupported firmware versions, exposing over 25,000 devices to the risk of being exploited.
- In general-news and crime-and-justice sectors, the exploitation of SonicWall devices with remote access vulnerabilities has been a recurring issue, as exemplified by previous attacks in 2021 involving the HelloKitty ransomware group.
- Given the ongoing exploitation of SonicWall devices by ransomware affiliates and threat actors for espionage and financially motivated attacks, it is crucial for users to immediately update their firmware, implement strict security measures, and restrict management access to trusted sources to minimize the risks posed by threats in technology and cybersecurity.
