SonicWall Denies 0-Day Exploit, Links Recent Attacks to 2024 Vulnerability

SonicWall Denies 0-Day Exploit, Links Recent Attacks to 2024 Vulnerability

SonicWall has confirmed that recent attacks targeting its 7th-generation firewalls with SSL VPN enabled were the work of the Akira ransomware group exploiting an old vulnerabilityCVE-2024-40766—rather than a suspected zero-day.


Key Findings

Following an investigation into 40 incidents, SonicWall determined that attackers leveraged CVE-2024-40766, a critical SSL VPN access control flaw patched in August 2024.

  • The vulnerability allows unauthorized access to VPN endpoints, enabling session hijacking or network infiltration.
  • Earlier this month, Arctic Wolf and Huntress warned of Akira ransomware activity—observed since July 15, 2025—and initially suspected a zero-day exploit. SonicWall now disputes that assessment.

Why Were Systems Still Vulnerable?

SonicWall says many affected organizations had migrated from Gen 6 to Gen 7 firewalls but failed to reset local user passwords, a key step outlined in the original security bulletin.

  • Default or reused credentials left systems exposed even after applying the firmware patch.

SonicWall’s Recommendations

  • Update firmware to version 7.3.0+, which includes enhanced MFA and brute-force protection.
  • Reset all local user passwords, especially those used for SSL VPN access.
  • Audit migration logs to ensure no legacy credentials remain active.

Community Backlash

On Reddit, some users have reported inconsistencies with SonicWall’s explanation:

  • Claims that non-existent accounts were compromised post-migration.
  • Allegations that SonicWall declined to review submitted firewall logs.

Critics argue the official findings don’t fully align with observed attack patterns in the field.


Broader Context

CVE-2024-40766 was previously exploited by Akira and Fog ransomware in 2024.

This incident underscores the risks posed by incomplete patch adoption and poor credential hygiene during infrastructure upgrades.


Key Takeaway:
While no zero-day was involved, the combination of unpatched systems and weak post-migration practices gave attackers an opening. Organizations must enforce password resets and security audits after firewall upgrades to prevent credential-based compromise.