SonicWall Confirms Patched Vulnerability Behind Recent VPN Attacks, Not a Zero-Day - The Hacker News

SonicWall Confirms Patched Vulnerability Behind Recent VPN Attacks, Not a Zero-Day Ravie LakshmananAug 07, 2025Network Security / Vulnerability SonicWall has revealed that the recent spike in activity targeting its Gen 7 and newer firewalls with SSL VPN enabled is related to an older, now-patched bug and password reuse. "We now have high confidence that the recent SSL VPN activity is not connected to a zero-day vulnerability," the company said. "Instead, there is a significant correlation with threat activity related to CVE-2024-40766." CVE-2024-40766 (CVSS score: 9.3) was first disclosed by SonicWall in August 2024, calling it an improper access control issue that could allow malicious actors unauthorized access to the devices. "An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and, in specific conditions, causing the firewall to crash," it noted in an advisory at the time. SonicWall also said it's investigating less than 40 incidents related to this activity, and that many of the incidents are related to migrations from Gen 6 to Gen 7 firewalls without resetting the local user passwords, a crucial recommended action as part of CVE-2024-40766. Furthermore, the company pointed out that SonicOS 7.3 has additional protection against brute-force password and multi-factor authentication (MFA) attacks. The updated guidance offered by the company is below - Update firmware to SonicOS version 7.3.0 Reset all local user account passwords for any accounts with SSLVPN access, particularly those that were carried over during migration from Gen 6 to Gen 7 Enable Botnet Protection and Geo-IP Filtering Enforce MFA and strong password policies Remove unused or inactive user accounts The development comes as multiple security vendors reported observing a surge in attacks exploiting SonicWall SSL VPN appliances for Akira ransomware attacks. Last year, Arctic Wolf disclosed that threat actors associated with Akira and Fog are targeting SonicWall SSL VPNs that are unpatched against CVE-2024-40766 to breach victim networks between August and mid-October 2024. Cybersecurity company Huntress told The Hacker News that it continues to see organizations impacted by threat actors targeting SonicWall Gen 7 firewall appliances, adding a total of at least 28 incidents have been recorded from this activity cluster as of August 6, 2025. Update SonicWall, in an update to its advisory on August 11, shared new guidance for local administrator accounts that have been breached through the exploitation of CVE-2024-40766 - If any local administrator accounts have been compromised through CVE-2024-40766, attackers may exploit administrative features such as packet capture, debugging, logging, configuration backup, or MFA control to obtain additional credentials, monitor traffic, or weaken the overall security posture. It is advisable to review any packet captures, logs, MFA settings, and recent configuration changes for unusual activity, and rotate any credentials that may have been exposed. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  cybersecurity, Endpoint Protection, Firewall, network security, password security, ransomware, Sonicwall, Threat Intelligence, VPN, Vulnerability Trending News 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware Load More ▼ Popular Resources 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Identity Controls Checklist: Find Missing Protections in Apps Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths