cbcvebase.
CVE-2024-40766
published 2024-08-23

CVE-2024-40766: An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access…

PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2024-09-30
Exploited in the wild
EPSS
15.69%
96.4th percentile
An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash. This issue affects SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions.

Affected

8 ranges
VendorProductVersion rangeFixed in
sonicwallsonicos< 5.9.2.14-13o5.9.2.14-13o
sonicwallsonicos< 6.5.2.8-2n6.5.2.8-2n
sonicwallsonicos< 6.5.4.15.116n6.5.4.15.116n
sonicwallsonicos<= 7.0.1-5035
sonicwallsonicos
sonicwallsonicos
sonicwallsonicos
sonicwallsonicos

Detection & IOCsextracted from sources · hover to see the quote

versionSonicOS 5.9.2.14-12o and older (Gen 5) – fixed in 5.9.2.14-13o
versionSonicOS 6.5.4.14-109n and older (Gen 6) – fixed in 6.5.2.8-2n (SM9800, NSsp 12400, NSsp 12800) and 6.5.4.15-116n (other Gen 6)
versionSonicOS 7.0.1-5035 and older (Gen 7) – not reproducible in 7.0.1-5035 and later
  • Monitor for Impacket SMB session setup requests originating from SonicWall VPN-authenticated sessions, which Akira affiliates used for lateral movement shortly after initial access.
  • Alert on rapid internal network scanning (within ~5 minutes) following a new SonicWall SSL VPN login, a TTF (time-to-first-action) indicator of Akira post-exploitation.
  • Detect execution of dsquery, SharpShares, and BloodHound for Active Directory enumeration following SonicWall VPN logins as post-exploitation indicators.
  • Monitor for a custom PowerShell script targeting Veeam Backup & Replication MSSQL and PostgreSQL databases to extract and decrypt credentials including DPAPI secrets.
  • Detect consent.exe loading unexpected DLLs (sideloading) as a BYOVD technique used by Akira affiliates to disable endpoint protection.
  • Flag loading of rwdrv.sys or churchill_driver.sys as vulnerable drivers used in BYOVD attacks to disable endpoint protection processes.
  • Alert on multiple OTP challenges issued for the same account followed by a successful login on SonicWall SSL VPN — a pattern consistent with compromised OTP seeds being used to bypass MFA.
  • Check Point signatures for Akira ransomware: Ransomware.Wins.Akira.ta.*; Ransomware.Wins.Akira; Trojan.Wins.Akira.ta.*; Trojan.Wins.Akira; Trojan.Win.Akira can be used for endpoint/emulation detection.
  • Identify external-facing SonicWall assets with SSL VPN enabled using Tenable Attack Surface Management's built-in subscription labeled 'SonicWall SSL-VPN v1'.
  • Prioritize investigation of Gen 6-to-Gen 7 migrated SonicWall configurations where local user accounts were not reset per advisory SNWLID-2024-0015, as these are the primary attack vector.
  • ·CVE-2024-40766 affects both the SonicOS management interface AND the SSLVPN feature — the initial August 2024 disclosure only mentioned management access; the SSLVPN impact was added in a later update.
  • ·Patching alone is insufficient — attackers continue to use credentials stolen from previously vulnerable devices even after patches are applied; all VPN credentials must be reset.
  • ·Some attacks impacted devices running SonicOS 7.3.0, which was the version SonicWall recommended to mitigate credential attacks, indicating that credential reuse remains a risk even on fully patched devices.
  • ·MFA (OTP) does not fully protect against this campaign; threat actors have successfully authenticated to MFA-protected accounts, possibly via stolen OTP seeds.
  • ·For Gen 5 and Gen 6 devices, SSLVPN users with local accounts must update passwords immediately and admins should enable the 'User must change password' option for local users.
  • ·The MySonicWall breach exposed firewall configuration backup files containing encrypted passwords and other information that could make exploitation significantly easier; all credentials from affected devices must be rotated.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.