‘Critical’ SonicWall Flaw Seeing Exploitation In Ransomware Attacks: Researchers

The vulnerability in the vendor’s SonicOS firmware affects a wide array of SonicWall firewalls.

A critical-severity vulnerability affecting a wide array of SonicWall firewalls has been exploited by threat actors to deploy ransomware, according to security researchers.

The access control flaw (tracked at CVE-2024-40766) impacts firewalls running multiple versions of the vendor’s SonicOS firmware—SOHO (Gen 5), Gen6 and Gen7. SonicWall disclosed a lengthy list of impacted firewalls in an advisory first published Aug. 22, at which point the vendor also released patches for the issue.

[Related: Network Security Devices Are The Front Door To An IT Environment, But Are They Under Lock And Key?]

The vulnerability had initially only been known to affect SonicOS management access, but on Friday, SonicWall revealed that the flaw has also been found to impact SSLVPN.

“This vulnerability is potentially being exploited in the wild,” SonicWall wrote in the advisory. “Please apply the patch as soon as possible for affected products.”

According to a researcher at Arctic Wolf, threat actors have in fact recently begun to take advantage of the expanded scope of the vulnerability.

“Akira ransomware affiliates carried out ransomware attacks with an initial access vector involving the compromise of SSLVPN user accounts,” Stefan Hostetler, senior threat intelligence researcher at Arctic Wolf, wrote in a post.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed Monday it was aware of the reported attacks, adding the SonicOS flaw to its catalog of vulnerabilities known to have seen exploitation in the wild.

Meanwhile, researchers at Rapid7 also disclosed that as of Monday, they were “aware of several recent incidents (both external and Rapid7-observed) in which SonicWall SSLVPN accounts were targeted or compromised, including by ransomware groups.”

“Evidence linking CVE-2024-40766 to these incidents is still circumstantial, but given adversary interest in the software in general, Rapid7 strongly recommends remediating on an emergency basis,” the researchers said. “Vulnerabilities like CVE-2024-40766 are frequently used for initial access to victim environments.”

In response to an inquiry Tuesday, SonicWall referred CRN to the information in the published advisory.

The SonicOS improper access control vulnerability has received a severity rating of 9.3 out of 10.0.

The attacks are the latest case pointing to hackers’ increased focus on exploiting network security devices, with an uptick in high-profile attacks via firewall and VPN vulnerabilities in 2024.

The improved proficiency at locking down endpoint devices—and the position of network devices as the front door to the IT environment—have made firewalls and VPNs a particularly prized target as of late, security experts have told CRN.