SonicWall has recently confirmed that the spike in activity targeting its Gen 7 and newer firewalls with SSL VPN enabled is associated with an older vulnerability that has now been patched, alongside issues related to password reuse. The company stated, “We now have high confidence that the recent SSL VPN activity is not connected to a zero-day vulnerability,” citing a significant correlation with threat activity tied to CVE-2024-40766.
This CVE, which has a CVSS score of 9.3, was first disclosed by SonicWall in August 2024. The vulnerability pertains to improper access control, potentially allowing malicious actors unauthorized access to the devices. In an advisory from September 2024, SonicWall noted the seriousness of this access control issue, stating that it could lead to unauthorized resource access and, in certain conditions, could cause the firewall to crash.
As investigations continue, SonicWall reported attempting to address fewer than 40 incidents related to this recent activity. Many of these incidents stem from migrations from Gen 6 to Gen 7 firewalls where local user passwords were not reset, which is a critical step specified in the CVE-2024-40766 advisory. The company recommends this reset as part of enhancing security for users.
In light of the recent vulnerabilities, SonicWall has rolled out SonicOS 7.3, which provides improved defenses against brute-force password methods and multi-factor authentication (MFA) attacks. Updated guidance includes recommendations for users to update firmware, reset all local user passwords for SSLVPN access, enable Botnet Protection, enforce strong password policies, and remove inactive user accounts. These steps aim to fortify defenses against a backdrop of increasing ransomware attacks leveraging the SonicWall SSL VPN appliances.