SonicWall has confirmed that the recent wave of cyberattacks targeting its Gen 7 firewalls with SSL VPN enabled is not linked to a newly discovered vulnerability. Instead, the activity is associated with CVE-2024-40766, an already patched security flaw, and the reuse of passwords from earlier device generations.
“We now have high confidence that the recent SSL VPN activity is not connected to a zero-day vulnerability,” the company stated. “Instead, there is a significant correlation with threat activity related to CVE-2024-40766.”
Originally disclosed in August 2024, CVE-2024-40766 is a critical improper access control flaw (CVSS score: 9.3) in SonicWall’s SonicOS that could allow unauthorized access to firewalls and potentially trigger crashes under certain conditions. The issue primarily affects management access to SonicWall devices.
SonicWall has reported fewer than 40 confirmed incidents so far. A majority of these stem from migrations from Gen 6 to Gen 7 firewalls where local user passwords weren’t reset — a key recommendation issued when the flaw was disclosed. This oversight has left some networks vulnerable, despite the availability of a fix.
The company emphasized that its SonicOS 7.3 firmware version includes improved protections against brute-force attacks and multi-factor authentication (MFA) bypass attempts. It has also reissued a set of mitigation best practices, urging users to:
- Upgrade to SonicOS 7.3.0
- Reset all local SSL VPN user passwords, especially those carried over from Gen 6
- Enable Botnet Protection and Geo-IP Filtering
- Enforce strong password policies and MFA
- Delete unused or inactive user accounts
The uptick in exploit attempts comes as multiple cybersecurity firms, including Huntress and Arctic Wolf, report increasing use of SonicWall SSL VPN appliances in Akira ransomware campaigns. Huntress noted that as of August 6, 2025, it had recorded at least 28 related incidents from this activity group.
Last year, Arctic Wolf highlighted that attackers, including those behind Akira and Fog, were actively scanning for unpatched SonicWall SSL VPNs vulnerable to CVE-2024-40766 — making patching and password hygiene more important than ever.
