Article illustration 1

SonicWall has concluded its investigation into recent Akira ransomware attacks targeting Gen 7 firewalls, determining attackers exploited a known 2024 SSLVPN vulnerability rather than a previously feared zero-day flaw. The findings shift focus to CVE-2024-40766—a critical access control weakness in SonicOS that permits unauthorized VPN access—initially patched in August 2024. This vulnerability enabled threat actors to hijack sessions and breach protected networks, with Akira and Fog ransomware operators weaponizing it extensively since disclosure.

Initial alerts surfaced when Arctic Wolf Labs observed attack patterns suggesting a zero-day exploit in SonicWall appliances last week, prompting the vendor to advise disabling SSLVPN services temporarily. After analyzing 40 incidents, SonicWall's update states: "We now have high confidence that the recent SSLVPN activity is not connected to a zero-day vulnerability. Instead, there is a significant correlation with threat activity related to CVE-2024-40766."

The root cause traces to migration oversights: "Many incidents relate to migrations from Gen 6 to Gen 7 firewalls, where local user passwords were carried over and not reset," SonicWall emphasized. Password resets were a critical mitigation step outlined in advisory SNWLID-2024-0015 but were overlooked during upgrades. Attackers exploited these lingering credentials to bypass security controls.

Critical Remediation Steps

SonicWall urges immediate action:
1. Upgrade firmware to version 7.3.0 or later, which bolsters brute-force defenses and MFA protections
2. Reset all local user passwords, especially SSLVPN credentials
3. Audit migration histories for unresolved credential transfers

Despite these directives, Reddit threads reveal administrator skepticism. Multiple users reported breaches on accounts created post-migration—contradicting SonicWall's migration-failure narrative. Others alleged the vendor declined log analysis requests. These inconsistencies, paired with SonicWall's ambiguous bulletin language, leave lingering doubts about the full attack surface.

The Unresolved Tension

While SonicWall attributes the attacks to unpatched legacy vulnerabilities, the disconnect between vendor claims and frontline experiences highlights deeper challenges in vulnerability management lifecycle adherence. As ransomware groups aggressively target supply chain weak points, this incident underscores the non-negotiable importance of comprehensive migration protocols—including credential hygiene audits beyond patch application. Until forensic clarity emerges, organizations must enforce SonicWall's mitigations while maintaining heightened vigilance for anomalous authentication patterns.

Source: BleepingComputer