Critical SonicWall Firewall Vulnerability Actively Exploited by Ransomware Actors
A critical vulnerability in SonicWall firewalls is being exploited by ransomware actors to gain initial access to victims’ networks. The vulnerability was first disclosed by SonicWall on August 22, 2024, and a patch was issued to fix the vulnerability. SonicWall issued an update to its advisory on September 6, 2024, urging customers to upgrade to the latest firmware version and warning them of potential exploitation of the flaw.
The improper access control vulnerability was assigned a CVSS severity score of 9.3 and affects the SonicOS management access and SSLVPN. If successfully exploited, a remote attacker can gain unauthorized resource access under specific conditions, causing the firewall to crash. According to SonicWall, the vulnerability affects SonicWall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions. In the September 6, 2024, update, SonicWall confirmed that the SSLVPN feature of its firewalls was also affected.
On September 6, 2024, the same day that SonicWall issued its update, Arctic Wolf’s senior threat intelligence researcher, Stefan Hostetler, published a blog post claiming the vulnerability had been exploited by Akira ransomware affiliates to compromise SSLVPN accounts on vulnerable SonicWall devices to gain initial access to victims’ networks.
In all identified instances, the compromised accounts were local to the devices themselves, rather than being integrated with a centralized authentication solution such as Microsoft Active Directory, multifactor authentication (MFA) was not enabled on the compromised accounts, and the firmware on the devices was in the range affected by the CVE-2024-40766 vulnerability. Rapid7 researchers also identified ransomware actor activity targeting SonicWall SSLVPN accounts, although the researchers only found circumstantial evidence linking the activity to the CVE-2024-40766 vulnerability.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Hostetler recommends updating the firmware to the latest version, ensuring MFA is enabled on locally managed SSLVPN accounts, and Gen5 and Gen6 device owners should update their passwords for all accounts. In addition to enabling MFA, SonicWall recommends restricting firewall management and SSLVPN access to trusted sources and ensuring firewall WAN management is not accessible via the public internet.
The vulnerability has now been added to the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerability (KEV) Catalog, and all federal agencies have been instructed to ensure that the vulnerability is patched no later than September 30, 2024.
