CVE-2024-40766: SonicWall SSL VPN Flaw Actively Exploited by Ransomware Threat Actors

CVE-2024-40766 is a critical improper access control vulnerability in SonicWall SonicOS management access/SSLVPN. Successful exploitation enables unauthorized access and can, in some cases, crash the firewall. 

The bug affects Gen 5 and Gen 6 firewalls and Gen 7 devices running SonicOS 7.0.1-5035 and older. It is now linked to real-world intrusions where Akira ransomware operators obtain SSLVPN access and rapidly pivot inside victim networks. 

What’s affected

• SonicWall devices: Gen 5, Gen 6; Gen 7 running SonicOS ≤ 7.0.1-5035 (older).
  
• Fixed/mitigation guidance: SonicWall PSIRT notice SNWLID-2024-0015 and follow-on SSLVPN threat activity guidance. (Advisory notes correlation with CVE-2024-40766 in 2025 incidents; organizations are urged to update firmware and reset local SSLVPN user passwords after upgrades/migrations.)
  

Some third-party summaries enumerate fixed builds (e.g., Gen5 5.9.2.14-13o, Gen6 6.5.4.15-116n, Gen7: install latest). Always verify against SonicWall’s PSIRT page for your exact model/build. 

Current exploitation & threat activity

Active exploitation was confirmed by national CSIRTs and vendor updates. Australia’s ACSC reports increased attacks against SonicWall SSLVPNs exploiting CVE-2024-40766 and specifically names Akira activity.

Multiple security vendors observed intrusions where SonicWall SSLVPN access preceded Akira ransomware deployment; SonicWall later attributed the wave to CVE-2024-40766 (not a zero-day) with cases linked to legacy credentials carried over during Gen6→Gen7 migrations. 

Regarding post-exploitation behavior, reports highlight rapid DC pivot and BYOVD techniques to disable Microsoft Defender before encryption (e.g., driver drop chain) following VPN-based initial access.

Technical overview (how attacks unfold)

1. Initial access via SSLVPN: Adversaries authenticate to SonicWall SSLVPN, often with retained/local credentials or weak/MFA-less accounts, abusing CVE-2024-40766 conditions to gain unauthorized access.
   
2. Internal pivot: Within hours, intruders enumerate and move laterally (notably toward domain controllers) to stage ransomware.
   
3. Defense evasion: Akira operators deploy a bring-your-own-vulnerable-driver chain to degrade endpoint protections, then proceed to encrypt.

Immediate actions

1. Patch/upgrade now to the latest SonicOS for your model; do not delay pending maintenance windows.
   
2. Force credential resets for all local SSLVPN accounts—especially post-migration from Gen6 to Gen7—and remove stale/local accounts.
   
3. Restrict exposure:
   

• Enable MFA on all VPN accounts (but don’t rely on MFA alone during active exploitation).
  
• IP allow-list remote access or geo-fence where feasible; consider temporary SSLVPN disablement if compromise suspected.
  

4. Harden management plane: Ensure management access isn’t exposed to the internet; use VPN/privileged jump hosts for admin.
   
5. Monitor & contain:
   

• Implement high-fidelity alerts on unusual VPN logins and immediate lateral movement.
  
• If indicators are present, revoke tokens/sessions, rotate all credentials used on the edge, and run full IR containment (block egress to attacker VPS ranges, isolate impacted hosts). Huntress

Detection guidance

Traditional IOCs are scarce for this campaign, so defenders must focus on behavioral signals. Key signs include unusual VPN activity, such as logins from VPS/cloud IPs or from disabled/inactive accounts, often following bursts of failed attempts. 

In several cases, suspicious logins were immediately followed by new admin sessions and account creation on domain controllers. Another red flag is tampering with endpoint security, such as unexpected driver installations or registry changes that disable antivirus protections. In rare cases, exploitation may also cause firewall crashes or restarts tied to SSLVPN access.

Threat hunting

For hunting, correlate SonicWall VPN login events with Windows logon and privilege escalation activity (e.g., Event IDs 4624, 4728, 4732). Also monitor for driver installs (Sysmon Event ID 6) and new service creations (7045) on servers occurring shortly after unusual VPN connections, particularly from unfamiliar ASNs.

Stay Safe. Stay Secure.
The OP Innovate Research Team