Ransomware attackers are currently exploiting a critical vulnerability in SonicWall firewalls to gain preliminary access to victims’ systems. SonicWall first reported the vulnerability on August 22, 2024, and released a patch to address the issue. On September 6, 2024, SonicWall issued an updated advisory telling customers to download the latest firmware upgrade to avoid potential exploitation of the vulnerability.
The vulnerability, identified as an improper access control vulnerability, has an assigned CVSS severity score of 9.3, indicating its high risk. This vulnerability specifically impacts SonicOS management access and SSLVPN features. When exploited, a remote attacker could get unauthorized access to resources, leading to the crash of the firewall. The vulnerability impacts the following SonicWall devices: Gen 5, Gen 6, and Gen 7 devices using SonicOS versions 7.0.1-5035 or older. SonicWall’s update on September 6, 2024 confirmed that its firewall’s SSLVPN feature is vulnerable to attacks.
On the same day as SonicWall’s update, Stefan Hostetler, a senior threat intelligence researcher at Arctic Wolf, posted an article on its blog revealing that affiliates of Akira ransomware exploited the vulnerability. These attackers used the vulnerability to compromise SSLVPN accounts on vulnerable SonicWall devices, allowing them to acquire initial access to victims’ systems.
In all known cases of exploitation, the breached accounts were locally saved on the devices instead of being linked to central authentication systems such as Microsoft Active Directory. Also, multifactor authentication (MFA) was not activated on these breached accounts, leaving them more vulnerable to attack. The firmware versions on these devices were the versions impacted by the vulnerability, which is officially listed as CVE-2024-40766. Researchers at Rapid7 also noticed ransomware activity directed at SonicWall SSLVPN accounts, but the evidence found had circumstantial linkage to the CVE-2024-40766 vulnerability attacks.
Hostetler recommends that users update their SonicWall devices to the latest firmware as soon as possible. He also stresses the importance of enabling MFA on all locally managed SSLVPN accounts and updating passwords for Gen 5 and Gen 6 devices. Along with these measures, SonicWall advises users to limit firewall management and SSLVPN access to trusted sources and to ensure that firewall WAN management is not exposed online.
The vulnerability has now been added to the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerability (KEV) Catalog, and all federal agencies have been instructed to ensure that the vulnerability is patched no later than September 30, 2024.
The vulnerability is now included in the Known Exploited Vulnerability (KEV) Catalog of the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA). All government agencies are directed to patch the vulnerability by September 30, 2024, to ensure their systems and sensitive data, including protected health information, are not compromised.
