SonicWall: Attackers did not exploit zero-day vulnerability to compromise Gen 7 firewalls

Akira ransomware affiliates are not leveraging an unknown, zero-day vulnerability in SonicWall Gen 7 firewalls to breach corporate networks, the security vendor shared today.

“Instead, there is a significant correlation with threat activity related to CVE-2024-40766, which was previously disclosed and documented in our public advisory.”

What happened?

Since July 15, 2025, researchers have observed a notable surge in ransomware activity targeting SonicWall firewalls, specifically via their SSL VPN functionality, and posited that the attackers might be leveraging a zero-day vulnerability because, in some cases, fully patched SonicWall devices were affected following credential rotation and despite time-based one-time password (TOTP) multi-factor authentication (MFA) being enabled.

This wave of attacks aligns with patterns previously seen from the Akira ransomware-as-a-service group.

A SonicWall spokesperson told Help Net Security that there have been fewer than 40 confirmed cases, and the attacks seem to be linked to legacy credential use during migrations from Gen 6 to Gen 7 firewalls.

Apparently, local user passwords were carried over during the migration and not reset as the company advised in the original advisory. (CVE-2024-40766 also affects Gen 7 firewalls running SonicOS 7.0.1-5035 and older versions.)

Mitigation and remediation

Since the security updates for CVE-2024-40766, newer versions of SonicOS have been released, and SonicWall pointed out that SonicOS 7.3 has additional protection against brute-force password and MFA attacks, such as admin/user lockout (enabled by default but has to be configured) and password complexity enforcement (has to be enabled by admins).

Thus, they are urging organizations using Gen 7 firewalls to upgrade to it. Organizations that have imported configurations from Gen 6 to newer firewalls should also:

  • Update the firmware to version 7.3.0
  • Reset all local user account passwords for any accounts with SSLVPN access
  • Consider enabling available protections (Botnet Protection, Geo-IP Filtering, etc.)
  • Remove unused user accounts
  • Enforce MFA and strong password policies.

Huntress researchers said that they’ve detected around 28 attacks that have many similarities but also some differences.

Huntress and GuidePoint Security have shared indicators of compromise associated with the campaign and listed the various actions and tools used by the attackers.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!

Don't miss