Active Exploitation of Gen 7 SonicWall Firewalls with SSL VPN Enabled

SonicWall has released and updated a security notice regarding recent reported cyber incidents involving SonicWall Gen 7 Firewalls

Threat ID:: CC-4686
Threat Severity:: High
Published:: 5 August 2025 11:52 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

SonicWall has released and updated a security notice regarding recent reported cyber incidents involving SonicWall Gen 7 Firewalls

Affected platforms

The following platforms are known to be affected:

SonicWall Gen 7 Next Generation Firewall (NGFW)

Gen 7 SonicWall firewalls where SSL VPN is enabled

Threat details

Security researchers link cyber incidents with deployment of Akira ransomware

Update: SonicWall has stated they have “high confidence” that the reported threat activity is not connected to a zero-day vulnerability but correlates with activity targeting CVE-2024-40766, a previously disclosed vulnerability from 2024. CVE-2024-40776 was reported as under active exploitation including in a campaign involving deployment of Akira ransomware.

Original: Multiple security researchers have reported active intrusion activity targeting SonicWall Gen7 firewalls with SSL VPN enabled. Reported post-exploitation activity has included privilege escalation, lateral movement, data exfiltration, and the deployment of Akira ransomware.

Intrusions have been reported against fully-updated firewall devices where multi-factor authentication (MFA) is enabled, and researchers have suggested this may indicate exploitation of an unidentified zero-day vulnerability.

Introduction

SonicWall has released a security notice regarding recent internal and external cyber incidents. SonicWall has stated they have “high confidence” that the reported threat activity is not connected to a zero-day vulnerability but correlates with activity targeting CVE-2024-40766, a previously disclosed vulnerability from 2024.

SonicWall has determined that many of the incidents relate to migrations from Gen 6 to Gen 7 firewalls, where local user passwords were carried over during the migration and not reset. Resetting user passwords was listed as a recommended mitigation step for CVE-2024-40766.

Organisations running Gen 7 SonicWall firewalls where secure sockets layer virtual private network (SSL VPN) is enabled are required to implement the steps below.

Threat updates

Date	Update
7 Aug 2025	Updates to SonicWall's security notice and this Cyber Alert This Cyber Alert has significant updates to the following sections: Security researchers link cyber incidents with deployment of Akira ransomware (red box) Introduction Remediation advice Remediation steps SonicWall has offered more context around the reported incidents, namely that many of the incidents relate to migrations from Gen 6 to Gen 7 firewalls, where local user passwords were carried over during the migration and not reset and that there is no new zero-day vulnerability. The vulnerability CVE-2024-40776 was the subject of Cyber Alert CC-4545, which encouraged organisations to review SonicWall advisory SNWLID-2024-0015. In that advisory, one of the recommended steps was to enforce a Password Update for Local Users.

Date

Update

7 Aug 2025

Updates to SonicWall's security notice and this Cyber Alert

This Cyber Alert has significant updates to the following sections:

Security researchers link cyber incidents with deployment of Akira ransomware (red box)
Introduction
Remediation advice
Remediation steps

SonicWall has offered more context around the reported incidents, namely that many of the incidents relate to migrations from Gen 6 to Gen 7 firewalls, where local user passwords were carried over during the migration and not reset and that there is no new zero-day vulnerability.

The vulnerability CVE-2024-40776 was the subject of Cyber Alert CC-4545, which encouraged organisations to review SonicWall advisory SNWLID-2024-0015. In that advisory, one of the recommended steps was to enforce a Password Update for Local Users.

Remediation advice

Affected organisations must review SonicWall security notice Gen 7 SonicWall Firewalls – SSLVPN Recent Threat Activity and implement the following remediation steps.

New guidance reflecting changes to the updated SonicWall security notice on 7 August 2025

Organisations are no longer required to disable SSL VPN services.
Organisations are now required to follow remediation steps outlined below.

Remediation steps

Type	Step
Patch	Update firmware to version 7.3.0 includes enhanced protections against brute force attacks and additional MFA controls. https://www.sonicwall.com/support/knowledge-base/enhance-security-with-login-attempt-lockout-and-enforce-password-complexity-in-sonicos-7-3/250605085003583
Action	Reset all local user account passwords for any accounts with SSLVPN access, especially if they were carried over during migration from Gen 6 to Gen 7.
Action	Enable Security Services Activate services such as Botnet Protection and Geo-IP Filtering. These services help detect and block known attackers targeting SSL VPN endpoints. https://www.sonicwall.com/support/notices/gen-7-and-newer-sonicwall-firewalls-sslvpn-recent-threat-activity/250804095336430
Action	Remove unused or inactive user accounts.
Action	Enforce Multi-Factor Authentication (MFA) Enable MFA for all remote access to reduce the risk of credential abuse. https://www.sonicwall.com/support/knowledge-base/how-do-i-configure-2fa-for-ssl-vpn-with-totp/190829123329169
Aware	Actively monitor SonicWall Security Advisories for new advisories and security updates. https://psirt.global.sonicwall.com/vuln-list

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2024-40766

An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash. This issue affects SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions.

Last edited: 7 August 2025 2:49 pm