The ACSC warns that CVE-2024-40766 is being actively exploited in SonicWall SSL VPN appliances, enabling unauthorized access and in some cases causing firewall crashes across Gen 5–7 devices. Immediate actions recommended include applying SonicWall firmware updates, resetting local SSLVPN passwords (especially after migrations), enabling MFA, and blocking identified malicious IPs. #CVE-2024-40766 #Akira
Keypoints
- The Australian Cyber Security Centre (ACSC) has issued an urgent warning about active exploitation of CVE-2024-40766 affecting SonicWall SSL VPN appliances.
- The vulnerability (CWE-284, CVSS v3 9.3) allows access-control bypass, enabling unauthorized access and potentially causing firewall crashes.
- Multiple SonicWall device generations are affected (Gen 5, Gen 6, Gen 7) running SonicOS 7.0.1-5035 and earlier; migrated configurations can expose Gen 7 devices if credentials weren’t reset.
- Threat actors exploiting the flaw include groups deploying Akira ransomware; SonicWall reports fewer than 40 incidents linked to this activity so far.
- SonicWall released firmware updates (Gen 5: 5.9.2.14-13o+, Gen 6: 6.5.4.15.116n+, Gen 7: 7.3.0+) and advises immediate local password resets and use of a bulk password change script.
- Recommended mitigations: apply firmware updates, enforce credential hygiene and MFA, restrict/disable WAN management, enable logging and account lockouts, and block identified malicious IPs.
- End-of-life devices (NSA 2600, many Gen 5 units) will not be patched and should be decommissioned or segmented from critical networks.
MITRE Techniques
- [T1078] Valid Accounts – Attackers leveraged migrated or unchanged local SSLVPN account credentials to gain unauthorized access (“many of which involved organizations migrating from Gen 6 to Gen 7 devices without updating local user passwords.”).
- [T1190] Exploit Public-Facing Application – Threat actors exploited CVE-2024-40766 in SonicWall SSL VPN appliances to bypass access controls and cause firewall crashes (“This vulnerability is potentially being exploited in the wild … Please apply the patch as soon as possible for affected products.”).
- [T1499] Endpoint Denial of Service – Exploitation under certain conditions may result in a firewall crash, causing denial of service to the affected appliance (“Under certain conditions, exploitation may result in a firewall crash.”).
- [T1110] Brute Force – SonicWall 7.3 introduced brute-force detection and recommendations include configuring account lockout and monitoring login attempts, indicating brute-force is a relevant risk (“Event logging for all SSLVPN login attempts should be enabled … account lockout mechanisms should be configured to mitigate brute-force attempts.”).
Indicators of Compromise
- [IP Address] Malicious hosts observed in exploitation activity – 88[.]119[.]175[.]104, 45[.]149[.]172[.]51 and other flagged IPs (5 additional addresses listed).
- [Device/Firmware] Affected firmware versions to detect vulnerable systems – SonicOS 7.0.1-5035 and earlier; fixed versions include Gen 5: 5.9.2.14-13o+, Gen 6: 6.5.4.15.116n+, Gen 7: 7.3.0+.
- [Model] Vulnerable device models and EoL units – Gen 5 (excluding SOHO), NSA 2600, Gen 6 and Gen 7 devices with migrated credentials (NSA 2600 and many Gen 5 units will not receive patches).
Read more: https://cyble.com/blog/acsc-warns-of-cve-2024-40766/