The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) has issued an urgent alert regarding active exploitation of a critical security flaw identified as CVE-2024-40766, impacting multiple generations of SonicWall SSL VPN devices. According to the advisory, threat actors, including those deploying Akira ransomware, are actively leveraging this vulnerability to gain unauthorized network access and, in some cases, crash firewalls.
The vulnerability, officially tracked as CVE-2024-40766, was publicly disclosed in August 2024 through advisory ID SNWLID-2024-0015. It affects Gen 5, Gen 6, and Gen 7 SonicWall appliances running SonicOS 7.0.1-5035 and earlier versions. Classified as a CWE-284 Improper Access Control issue, the vulnerability has been assigned a CVSS v3 score of 9.3, signaling a high-severity risk.
“This vulnerability is potentially being exploited in the wild,” warns the official SonicWall advisory, urging users to apply security patches without delay.
Technical Details of CVE-2024-40766
The SonicWall SSL vulnerability allows attackers to bypass access controls, granting them unauthorized access to protected resources. Under certain conditions, exploitation can trigger firewall crashes, causing network outages.
Although the issue is more prevalent in older firmware, recent exploitation cases have involved Gen 7 appliances, especially when configurations from earlier generations were migrated without updating user credentials.
SonicWall has confirmed that fewer than 40 incidents have been linked to this vulnerability, many stemming from organizations that transitioned from Gen 6 to Gen 7 devices without resetting local user passwords, a critical misstep that left systems exposed.
Mitigation Measures and Security Recommendations
In response to the active exploitation of CVE-2024-40766, both SonicWall and ASD’s ACSC have issued a set of comprehensive mitigation strategies aimed at minimizing exposure and reinforcing organizational defenses.
Firmware updates are the first and most critical step. Organizations using SonicWall devices must ensure their systems are updated to the latest secure versions. Specifically, Gen 5 devices should be upgraded to version 5.9.2.14-13o or later, Gen 6 devices to version 6.5.4.15.116n or later, and Gen 7 devices to version 7.3.0 or later.
Credential hygiene is also vital. All local SSL VPN user passwords should be reset immediately, especially in cases where user accounts were imported from older devices without proper credential updates. To streamline this process, SonicWall has released a bulk password reset script to assist administrators.
To further reduce the risk of unauthorized access, multi-factor authentication (MFA) should be enabled across all SonicWall SSL VPN accounts. The use of time-based one-time passwords (TOTP) or email-based one-time passcodes (OTP) can significantly mitigate the impact of compromised credentials.
Additionally, access restrictions should be implemented by limiting SSL VPN and WAN management access to only trusted IP addresses. If feasible, internet-facing access should be disabled entirely to reduce the attack surface.
Lastly, logging and monitoring are essential for early detection. Administrators are advised to enable event logging for all SSL VPN login attempts. Implementing account lockout mechanisms will help prevent brute-force attacks and alert security teams to suspicious login behavior.
Legacy Devices Remain Vulnerable
SonicWall has clarified that Gen 5 (excluding SOHO models) and NSA 2600 firewalls, both categorized as End-of-Life (EoL), will not receive security patches. These models remain exposed to active threats and should be retired or isolated from critical infrastructure.
“NSA 2600, Gen 5, and older units are susceptible to this exploit and will not be patched,” the company stated, emphasizing the urgency of replacing outdated hardware.
New Protections in SonicOS 7.3
To counter these threats, SonicWall has implemented new security enhancements in SonicOS 7.3, including brute-force detection, expanded MFA support, and improved admin account monitoring. However, these protections are only effective if updates are applied and configurations are actively managed.
Administrators are further encouraged to:
- Remove unused or dormant user accounts
- Audit and rotate LDAP login credentials
- Review recent configuration changes
- Examine local administrator logs for anomalies
