Ethical Hacking News
SonicWall has revealed that recent Akira ransomware attacks are not exploiting a zero-day vulnerability in their Gen 7 firewalls. Instead, they claim that the attacks are targeting endpoints that did not follow recommended mitigation measures for CVE-2024-40766 when migrating from Gen 6 to Gen 7 firewalls. Despite this, some customers have reported breaches despite disabling their VPN services and taking other recommended measures. What's behind these reports, and what can SonicWall do to prevent similar attacks in the future?
SonicWall acknowledges recent Akira ransomware attacks are exploiting CVE-2024-40766, an older unauthorized access flaw in their Gen 7 firewalls. The vulnerability was previously disclosed and documented, but SonicWall is now acknowledging the risk after a surge of attacks against customers. SonicWall initially suggested a zero-day vulnerability, then revised its stance to say attacks are targeting endpoints that didn't follow recommended mitigation measures for CVE-2024-40766. Customers are advised to update firmware to version 7.3.0 or later and reset local user passwords to mitigate the risk. Rumors of breaches despite disabling VPN services highlight the ongoing cat-and-mouse game between threat actors and cybersecurity vendors.
SonicWall's recent update on their security bulletin has sent shockwaves through the cybersecurity community, raising more questions than answers about the nature of the ongoing attacks against their Gen 7 firewalls. According to SonicWall, the recent Akira ransomware attacks that have been targeting vulnerable endpoints are not exploiting a zero-day vulnerability in their products, but rather taking advantage of an older unauthorized access flaw (CVE-2024-40766) that was previously disclosed and documented.
The CVE-2024-40766 is a critical SSLVPN access control flaw in SonicOS, allowing unauthorized access to vulnerable endpoints. This flaw was extensively exploited following its disclosure roughly a year ago by various threat actors, including the Akira and Fog ransomware operators who used it to breach corporate networks. It's clear that this vulnerability has been a known issue for some time, but why is SonicWall now only now acknowledging the risk?
The answer lies in the recent surge of attacks against SonicWall customers. In July 2025, Arctic Wolf Labs first hinted at the potential existence of a zero-day vulnerability in SonicWall Gen 7 firewalls, after noticing Akira ransomware attack patterns that supported this assumption. SonicWall quickly confirmed that they are aware of an ongoing campaign and advised customers to turn off SSL VPN services and limit connectivity to trusted IP addresses until the situation clears up.
However, it appears that SonicWall has now revised their stance on the matter, stating that there is no zero-day vulnerability in their products being exploited. Instead, they claim that the attacks are targeting endpoints that did not follow the recommended course of action for mitigating CVE-2024-40766 when migrating from Gen 6 to Gen 7 firewalls.
According to SonicWall, many of the incidents relate to migrations from Gen 6 to Gen 7 firewalls, where local user passwords were carried over during the migration and not reset. This highlights a critical issue with the current state of SonicWall's security, as it appears that the company is only now addressing this known vulnerability.
In light of these revelations, it's clear that vigilance and immediate application of recommended measures remain crucial for customers using SonicWall products. The recommended action now is to update firmware to version 7.3.0 or later, which has stronger brute-force and MFA protections, and reset all local user passwords, especially those used for SSLVPN.
But what about the rumors circulating on social media that some SonicWall customers have been breached despite disabling their VPN services and taking other recommended measures? The answer lies in the fact that some attackers are using more sophisticated tactics to bypass security controls. This highlights the ongoing cat-and-mouse game between threat actors and cybersecurity vendors, where one side is always trying to stay ahead of the other.
In conclusion, SonicWall's recent update on their security bulletin has shed new light on the ongoing Akira ransomware attacks that have been targeting vulnerable endpoints. While it appears that there is no zero-day vulnerability in SonicWall products being exploited, it's clear that this known issue has been a major concern for customers using these products.
As the cybersecurity landscape continues to evolve, one thing remains certain: vigilance and immediate application of recommended measures remain crucial for customers using SonicWall products. It's also clear that threat actors will continue to adapt and evolve their tactics to stay ahead of security vendors, highlighting the ongoing need for a proactive approach to cybersecurity.
Related Information:
https://www.ethicalhackingnews.com/articles/SonicWall-SSLVPN-Vulnerability-Saga-Separating-Fact-from-Fiction-ehn.shtml
https://www.bleepingcomputer.com/news/security/sonicwall-finds-no-sslvpn-zero-day-links-ransomware-attacks-to-2024-flaw/
Published: Thu Aug 7 14:43:53 2025 by llama3.2 3B Q4_K_M
