SonicWall has revealed that the recent spike in activity targeting its Gen 7 and newer firewalls with SSL VPN enabled is related to an older, now-patched bug and password reuse.
“We now have high confidence that the recent SSL VPN activity is not connected to a zero-day vulnerability,” the company said. “Instead, there is a significant correlation with threat activity related to CVE-2024-40766.”
CVE-2024-40766 (CVSS score: 9.3) was first disclosed by SonicWall in August 2024, calling it an improper access control issue that could allow malicious actors unauthorized access to the devices.
“An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and, in specific conditions, causing the firewall to crash,” it noted in an advisory at the time.
SonicWall also said it’s investigating less than 40 incidents related to this activity, and that many of the incidents are related to migrations from Gen 6 to Gen 7 firewalls without resetting the local user passwords, a crucial recommendation action as part of CVE-2024-40766.
Furthermore, the company pointed out that SonicOS 7.3 has additional protection against brute-force password and multi-factor authentication (MFA) attacks. The updated guidance offered by the company is below –
- Update firmware to SonicOS version 7.3.0
- Reset all local user account passwords for any accounts with SSLVPN access, particularly those that were carried over during migration from Gen 6 to Gen 7
- Enable Botnet Protection and Geo-IP Filtering
- Enforce MFA and strong password policies
- Remove unused or inactive user accounts
The development comes as multiple security vendors reported observing a surge in attacks exploiting SonicWall SSL VPN appliances for Akira ransomware attacks.
