SonicWall has officially dismissed speculation surrounding the use of an unknown zero-day vulnerability in recent Akira ransomware attacks. Following a comprehensive investigation of 40 security incidents, the company confirmed that cybercriminals exploited a previously disclosed and patched vulnerability rather than leveraging new attack vectors.
CVE-2024-40766: The Real Culprit Behind SonicWall Compromises
Internal analysis conducted by SonicWall revealed that Akira operators utilized CVE-2024-40766, a critical vulnerability initially discovered and remediated in August 2024. This security flaw affects the SSL VPN access control system within SonicOS, enabling unauthorized access to protected corporate networks.
According to SonicWall representatives: “Recent SSL VPN activity was not associated with a zero-day vulnerability. There is clear correlation with CVE-2024-40766, which was publicly documented in security bulletin SNWLID-2024-0015.”
Understanding the CVE-2024-40766 Exploitation Method
The critical vulnerability allows threat actors to hijack active user sessions and gain VPN access to corporate infrastructures without requiring legitimate credentials. Since its public disclosure in 2024, multiple ransomware groups, including Akira and Fog, have actively weaponized this security gap.
The exploitation process involves intercepting SSL VPN sessions, effectively bypassing authentication mechanisms and granting attackers persistent access to internal network resources. This technique has proven particularly effective against organizations that failed to implement proper remediation measures.
Initial Security Assessments and Expert Analysis
On January 15, 2025, Arctic Wolf analysts documented a surge in Akira ransomware attacks targeting SonicWall Gen 7 firewalls. Security researchers initially suspected zero-day exploitation, prompting widespread recommendations to temporarily disable SSL VPN services as a precautionary measure.
Huntress researchers corroborated these findings by publishing detailed incident reports containing indicators of compromise (IoCs) and technical analysis of the attack campaign. These preliminary assessments highlighted the sophisticated nature of the intrusion methods employed by Akira operators.
Migration Errors: The Primary Attack Vector
SonicWall’s investigation revealed that most successful compromises resulted from improper migration procedures when upgrading from Gen 6 to Gen 7 firewall appliances. The critical oversight involved transferring local user passwords without subsequently resetting them, creating exploitable security gaps.
Company experts explained: “Many incidents were migration-related, where local user passwords were carried over and not reset. Password resets were a key security requirement specified in the original security bulletin.”
This configuration error effectively left organizations vulnerable to credential-based attacks, even after implementing newer hardware generations designed to enhance security postures.
Comprehensive Remediation Strategy
SonicWall has issued specific guidance to eliminate ongoing threats and prevent future compromises. Organizations should immediately update firmware to version 7.3.0 or later, which incorporates enhanced multi-factor authentication and brute-force attack protection mechanisms.
Additionally, administrators must perform mandatory password resets for all local user accounts, particularly those associated with SSL VPN access. This step addresses the root cause of migration-related vulnerabilities and significantly reduces attack surface exposure.
Community Response and Ongoing Concerns
IT professionals have expressed skepticism regarding SonicWall’s official statements, with some system administrators reporting compromises of accounts created after Gen 7 migrations. These reports suggest potential complexities beyond the company’s current explanation, highlighting the need for continued vigilance and investigation.
This incident underscores the critical importance of timely security updates and strict adherence to vendor recommendations during equipment migrations. Organizations must conduct regular security audits and promptly address known vulnerabilities to maintain effective defense against evolving ransomware threats. The SonicWall case serves as a reminder that even patched vulnerabilities can pose significant risks when proper remediation procedures are not followed comprehensively.
