Published: Thursday 11 September 2025
Prepared by: Adam Skupien, Vulnerability Security Analyst
This bulletin provides an update to the Triskele Labs advisory released on 5 August 2025, regarding ransomware activity exploiting SonicWall SSL VPN devices.
Since the original advisory:
SonicWall has confirmed the issue relates to CVE-2024-40766 (Improper Access Control).
Patches for CVE-2024-40766 have been available since August 2024 for Gen 5, Gen 6, and Gen 7 devices. However, exploitation has continued where updates were not applied, or where organisations upgraded without resetting local SSL VPN user accounts.
The Australian Cyber Security Centre (ACSC) has reported ongoing active exploitation of this vulnerability in Australia, linked to Akira ransomware campaigns.
1 August 2025 – Arctic Wolf publishes their blog highlighting increased targeting of SonicWall SSL VPNs, noting that activity dates back to 15 July 2025 and is followed by Akira ransomware deployment.
4 August 2025 – SonicWall issues an advisory acknowledging a surge in incidents impacting Gen 7 firewalls with SSL VPN enabled.
7 August 2025 – SonicWall updates their advisory, attributing the activity to CVE-2024-40766 (originally disclosed and patched on 21 August 2024) and stressing the importance of resetting local SSL VPN user accounts, particularly after migrating from Gen 6 to Gen 7 devices.
10 September 2025 – The Australian Cyber Security Centre (ACSC) releases a high-severity alert confirming ongoing active exploitation of CVE-2024-40766 in Australia, associated with Akira ransomware.
CVE-2024-40766 affects:
Exploitation enables attackers to bypass access controls, gain unauthorized access, and pivot into the internal network.
SonicWall strongly advises upgrading to SonicOS 7.3.0 or higher, which introduces enhanced protections against brute-force attacks and additional MFA controls.
Remote unauthenticated attackers can leverage CVE-2024-40766 to compromise SonicWall devices.
Once compromised, attackers may obtain privileged access, move laterally inside the network, and deploy ransomware such as Akira.
Even after patching, organisations may remain vulnerable if local SSL VPN user accounts are not reset. Threat actors have been observed continuing to exploit unchanged or migrated credentials to maintain access.
Mitigation actions
Patches are available and must be applied as soon as possible.
| Platform | Fixed Versions |
|---|---|
| SOHO (Gen 5) | 5.9.2.14-13o and higher |
| Gen 6 | 6.5.2.8-2n and higher (SM9800, NSsp 12400, NSsp 12800)6.5.4.15.116n and higher (all other Gen 6 firewalls) |
| Gen 7 | 7.0.1-5035 or higher. However, SonicWall recommend installing the latest firmware (7.3.0 introduces enhanced protections against brute-force attacks and additional MFA controls) |
All local SSL VPN accounts must have their passwords reset, even if your organisation has migrated from Gen 6 to Gen 7 devices.
Attackers have been observed exploiting unchanged or migrated credentials even after patching.
Failure to reset accounts may leave organisations vulnerable despite applying software updates.
Additional Recommendations
Enable Botnet Protection, Geo-IP filtering, and Account Lockout policies.
Restrict VPN access to trusted IP ranges; apply geo-restrictions where possible.
Remove unused and inactive accounts from the devices.
Continue deploying EDR solutions across all endpoints, including VPN servers.
Monitor logs for suspicious authentication attempts and lateral movement.
Track privileged account activity closely.
Investigate unusual data transfers for signs of exfiltration.
Triskele Labs customers using Monitor (24×7 SIEM) or MDR services continue to be proactively assessed for IoC and abnormal behaviour
Triskele Labs customers leveraging our Vulnerability Scanning and Monitor (24×7 SIEM) or MDR services are being proactively assessed and monitored for IoC and signs of lateral movement.