CVE-2024-40766
published 2024-08-23CVE-2024-40766: An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access…
PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2024-09-30
Exploited in the wild
EPSS
15.69%
96.4th percentile
An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash. This issue affects SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sonicwall | sonicos | < 5.9.2.14-13o | 5.9.2.14-13o |
| sonicwall | sonicos | < 6.5.2.8-2n | 6.5.2.8-2n |
| sonicwall | sonicos | < 6.5.4.15.116n | 6.5.4.15.116n |
| sonicwall | sonicos | <= 7.0.1-5035 | — |
| sonicwall | sonicos | — | — |
| sonicwall | sonicos | — | — |
| sonicwall | sonicos | — | — |
| sonicwall | sonicos | — | — |
Detection & IOCsextracted from sources · hover to see the quote
versionSonicOS 6.5.4.14-109n and older (Gen 6) – fixed in 6.5.2.8-2n (SM9800, NSsp 12400, NSsp 12800) and 6.5.4.15-116n (other Gen 6)↗
- →Monitor for Impacket SMB session setup requests originating from SonicWall VPN-authenticated sessions, which Akira affiliates used for lateral movement shortly after initial access. ↗
- →Alert on rapid internal network scanning (within ~5 minutes) following a new SonicWall SSL VPN login, a TTF (time-to-first-action) indicator of Akira post-exploitation. ↗
- →Detect execution of dsquery, SharpShares, and BloodHound for Active Directory enumeration following SonicWall VPN logins as post-exploitation indicators. ↗
- →Monitor for a custom PowerShell script targeting Veeam Backup & Replication MSSQL and PostgreSQL databases to extract and decrypt credentials including DPAPI secrets. ↗
- →Detect consent.exe loading unexpected DLLs (sideloading) as a BYOVD technique used by Akira affiliates to disable endpoint protection. ↗
- →Flag loading of rwdrv.sys or churchill_driver.sys as vulnerable drivers used in BYOVD attacks to disable endpoint protection processes. ↗
- →Alert on multiple OTP challenges issued for the same account followed by a successful login on SonicWall SSL VPN — a pattern consistent with compromised OTP seeds being used to bypass MFA. ↗
- →Check Point signatures for Akira ransomware: Ransomware.Wins.Akira.ta.*; Ransomware.Wins.Akira; Trojan.Wins.Akira.ta.*; Trojan.Wins.Akira; Trojan.Win.Akira can be used for endpoint/emulation detection. ↗
- →Identify external-facing SonicWall assets with SSL VPN enabled using Tenable Attack Surface Management's built-in subscription labeled 'SonicWall SSL-VPN v1'. ↗
- →Prioritize investigation of Gen 6-to-Gen 7 migrated SonicWall configurations where local user accounts were not reset per advisory SNWLID-2024-0015, as these are the primary attack vector. ↗
- ·CVE-2024-40766 affects both the SonicOS management interface AND the SSLVPN feature — the initial August 2024 disclosure only mentioned management access; the SSLVPN impact was added in a later update. ↗
- ·Patching alone is insufficient — attackers continue to use credentials stolen from previously vulnerable devices even after patches are applied; all VPN credentials must be reset. ↗
- ·Some attacks impacted devices running SonicOS 7.3.0, which was the version SonicWall recommended to mitigate credential attacks, indicating that credential reuse remains a risk even on fully patched devices. ↗
- ·MFA (OTP) does not fully protect against this campaign; threat actors have successfully authenticated to MFA-protected accounts, possibly via stolen OTP seeds. ↗
- ·For Gen 5 and Gen 6 devices, SSLVPN users with local accounts must update passwords immediately and admins should enable the 'User must change password' option for local users. ↗
- ·The MySonicWall breach exposed firewall configuration backup files containing encrypted passwords and other information that could make exploitation significantly easier; all credentials from affected devices must be rotated. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8736-pr6r-r9hr: An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource
ghsa_unreviewed·2024-08-23
CVE-2024-40766 [CRITICAL] CWE-284 GHSA-8736-pr6r-r9hr: An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource
An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash. This issue affects SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions.
VulnCheck
SonicWall SonicOS Improper Access Control Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-40766 [CRITICAL] CWE-284 SonicWall SonicOS Improper Access Control Vulnerability
SonicWall SonicOS Improper Access Control Vulnerability
SonicWall SonicOS contains an improper access control vulnerability that could lead to unauthorized resource access and, under certain conditions, may cause the firewall to crash.
Affected: SonicWall SonicOS
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.fortiguard.com/outbreak-alert/akira-ransomware; https://arcticwolf.com/resources/blog/arctic-wolf-observes-akira-ransomware-campaign-targeting-sonicwall-sslvpn-accounts/; https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www
CISA
SonicWall SonicOS Improper Access Control Vulnerability
cisa·2024-09-09·CVSS 9.8
CVE-2024-40766 [CRITICAL] CWE-284 SonicWall SonicOS Improper Access Control Vulnerability
Vulnerability: SonicWall SonicOS Improper Access Control Vulnerability
Affected: SonicWall SonicOS
SonicWall SonicOS contains an improper access control vulnerability that could lead to unauthorized resource access and, under certain conditions, may cause the firewall to crash.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015; https://www.sonicwall.com/support/notices/gen-7-and-newer-sonicwall-firewalls-sslvpn-recent-threat-activity/kA1VN0000000RDG0A2 ; https://nvd.nist.gov/vuln/detail/CVE-2024-40766
Remediation Due Date: 2024-09-30
SonicWall
CVE-2024-40766: An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource
vendor_sonicwall·2024-08-23·CVSS 9.8
CVE-2024-40766 [CRITICAL] CWE-284 CVE-2024-40766: An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource
CVE-2024-40766: An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash. This issue affects SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions.
No detection rules found.
No public exploits indexed.
Sans Isc
CVE-2024-40766: The Patch Fixed the Bug. Nobody Fixed the Configuration., (Tue, Jun 23rd)
blogs_sans_isc·2026-06-23·CVSS 9.8
CVE-2024-40766 [CRITICAL] CVE-2024-40766: The Patch Fixed the Bug. Nobody Fixed the Configuration., (Tue, Jun 23rd)
CVE-2024-40766: The Patch Fixed the Bug. Nobody Fixed the Configuration.
Published: 2026-06-23. Last Updated: 2026-06-23 03:02:34 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
0 comment(s)
The vulnerability
In August 2024 SonicWall published advisory SNWLID-2024-0015 for CVE-2024-40766. It is an improper access control vulnerability in SonicOS. CVSS 9.3. It affects the management interface and the SSLVPN service on Gen 5, Gen 6 and Gen 7 firewalls. Each generation has its own affected firmware range: Gen 5 running SonicOS 5.9.2.14-12o and older, Gen 6 running 6.5.4.14-109n and older, and Gen 7 running SonicOS 7.0.1-5035 and older. Successful exploitation lets an attacker gain unauthorized access to the firewall. Under certain conditions it crashes the device entirely.
The scope
Mandiant
Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
blogs_mandiant·2026-03-16
Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
## Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
## Google Threat Intelligence Group
## Google Threat Intelligence
Visibility and context on the threats that matter most.
Written by: Bavi Sadayappan, Zach Riddle, Ioana Teaca, Kimberly Goody, Genevieve Stark
## Introduction
Since 2018, when many financially motivated threat actors began shifting their monetization strategy to post-compromise ransomware deployments, ransomware has become one of the most pervasive threats to organizations across almost every industry vertical and region. In recent years ransomware operations have evolved, creating a robust ecosystem that has lowered the barrier to entry via the commoditization and specialization of the supporting underground communities, w
Mandiant
Ransomware Tactics, Techniques, and Procedures in a Shifting Threat Landscape
blogs_mandiant·2026-03-16
Ransomware Tactics, Techniques, and Procedures in a Shifting Threat Landscape
Threat Intelligence
# Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
March 16, 2026
##### Google Threat Intelligence Group
##### Google Threat Intelligence
Visibility and context on the threats that matter most.
Contact Us & Get a Demo
Written by: Bavi Sadayappan, Zach Riddle, Ioana Teaca, Kimberly Goody, Genevieve Stark
### Introduction
Since 2018, when many financially motivated threat actors began shifting their monetization strategy to post-compromise ransomware deployments, ransomware has become one of the most pervasive threats to organizations across almost every industry vertical and region. In recent years ransomware operations have evolved, creating a robust ecosystem that has lowered the barrier to entry via the commoditiza
Greynoiseio
Active Reconnaissance Campaign Targets SonicWall Firewalls Through Commercial Proxy Infrastructure
blogs_greynoiseio·2026-02-27
Active Reconnaissance Campaign Targets SonicWall Firewalls Through Commercial Proxy Infrastructure
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Tenable
Exploitation of CVE-2025-40602 chained with CVE-2025-23006
blogs_tenable·2025-12-17·CVSS 9.8
[CRITICAL] Exploitation of CVE-2025-40602 chained with CVE-2025-23006
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Sonicwall warns of new SMA1000 zero-day exploited in attacks
blogs_bleepingcomputer·2025-12-17·CVSS 9.8
CVE-2025-40602 [CRITICAL] Sonicwall warns of new SMA1000 zero-day exploited in attacks
## Sonicwall warns of new SMA1000 zero-day exploited in attacks
## Sergiu Gatlan
SonicWall warned customers today to patch a vulnerability in the SonicWall SMA1000 Appliance Management Console (AMC) that was chained in zero-day attacks to escalate privileges.
According to SonicWall, this medium-severity local privilege escalation security flaw (CVE-2025-40602) was reported by Clément Lecigne and Zander Work of the Google Threat Intelligence Group, and doesn't affect SSL-VPN running on SonicWall firewalls.
"SonicWall PSIRT strongly advises users of the SMA1000 product to upgrade to the latest hotfix release version to address the vulnerability," the company said in a Wednesday advisory .
Remote unauthenticated attackers chained this vulnerability with a critical-severity SMA1000 pre-au
Bleepingcomputer
Marquis data breach impacts over 74 US banks, credit unions
blogs_bleepingcomputer·2025-12-03
Marquis data breach impacts over 74 US banks, credit unions
## Marquis data breach impacts over 74 US banks, credit unions
## Lawrence Abrams
Financial software provider Marquis Software Solutions is warning that it suffered a data breach that impacted dozens of banks and credit unions across the US.
Marquis Software Solutions provides data analytics, CRM tools, compliance reporting, and digital marketing services to over 700 banks, credit unions, and mortgage lenders.
In data breach notifications filed with US Attorney General offices, Marquis says it suffered a ransomware attack on August 14, 2025, after its network was breached through its SonicWall firewall.
This allowed the hackers to steal "certain files from its systems" during the attack.
"The review determined that the files contained personal information received from certain busine
Securelist
IT threat evolution in Q3 2025. Non-mobile statistics
blogs_securelist·2025-11-19
IT threat evolution in Q3 2025. Non-mobile statistics
Table of Contents
Quarterly figures
Ransomware
Quarterly trends and highlights
Law enforcement success
Vulnerabilities and attacks
SSL VPN attacks on SonicWall
Scattered Spider uses social engineering to breach VMware ESXi
Exploitation of a Microsoft SharePoint vulnerability
The application of AI in ransomware development
The most prolific groups
Number of new variants
Number of users attacked by ransomware Trojans
Attack geography
TOP 10 countries attacked by ransomware Trojans
TOP 10 most common families of ransomware Trojans
Miners
Number of new variants
Number of users attacked by miners
Attack geography
TOP 10 countries and territories attacked by miners
Attacks on macOS
TOP 20 threats to macOS
Geography of threats to macOS
TOP 10 countries and territories by s
Securelist
Desktop and IoT malware report for Q3 2025
blogs_securelist·2025-11-19
Desktop and IoT malware report for Q3 2025
Table of Contents
- Quarterly figures
- Ransomware
- Miners
- Attacks on macOS
- IoT threat statistics
- Attacks via web resources
- Local threats
Authors
- AMR
IT threat evolution in Q3 2025. Mobile statistics
IT threat evolution in Q3 2025. Non-mobile statistics
## Quarterly figures
In Q3 2025:
- Kaspersky solutions blocked more than 389 million attacks that originated with various online resources.
- Web Anti-Virus responded to 52 million unique links.
- File Anti-Virus blocked more than 21 million malicious and potentially unwanted objects.
- 2,200 new ransomware variants were detected.
- Nearly 85,000 users experienced ransomware attacks.
- 15% of all ransomware victims whose data was published on threat actors’ data leak sites (DLSs) were victims of Qilin.
- More than 254,000
Bleepingcomputer
CISA warns of WatchGuard firewall flaw exploited in attacks
blogs_bleepingcomputer·2025-11-13·CVSS 9.8
CVE-2025-9242 [CRITICAL] CISA warns of WatchGuard firewall flaw exploited in attacks
## CISA warns of WatchGuard firewall flaw exploited in attacks
## Sergiu Gatlan
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has warned government agencies to patch an actively exploited vulnerability impacting WatchGuard Firebox firewalls.
Remote attackers can use this critical security flaw ( CVE-2025-9242 ) to execute malicious code remotely on vulnerable devices by exploiting an out-of-bounds write weakness in firewalls running Fireware OS 11.x (end of life), 12.x, and 2025.1.
CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and has given Federal Civilian Executive Branch (FCEB) agencies three weeks, until December 3, to secure their systems against ongoing attacks as mandated by the Binding Operational Directive (BOD) 22-01.
Bleepingcomputer
CISA warns of Akira ransomware Linux encryptor targeting Nutanix VMs
blogs_bleepingcomputer·2025-11-13
CISA warns of Akira ransomware Linux encryptor targeting Nutanix VMs
## CISA warns of Akira ransomware Linux encryptor targeting Nutanix VMs
## Lawrence Abrams
US government agencies are warning that the Akira ransomware operation has been spotted encrypting Nutanix AHV virtual machines in attacks.
An updated joint advisory from CISA, the FBI, the Department of Defense Cyber Crime Center (DC3), the Department of Health and Human Services (HHS), and several international partners alerts that Akira ransomware has expanded its encryption capabilities Nutanix AHV VM disk files.
The advisory includes new indicators of compromise and tactics observed through FBI investigations and third-party reporting as recent as November 2025.
## Encrypting Nutanix VMs in attacks
The advisory warns that in June 2025 Akira actors started to encrypt disk files for Nutanix
Bleepingcomputer
Akira ransomware breaching MFA-protected SonicWall VPN accounts
blogs_bleepingcomputer·2025-09-28·CVSS 9.8
[CRITICAL] Akira ransomware breaching MFA-protected SonicWall VPN accounts
## Akira ransomware breaching MFA-protected SonicWall VPN accounts
## Lawrence Abrams
Ongoing Akira ransomware attacks targeting SonicWall SSL VPN devices continue to evolve, with the threat actors found to be successfully logging in despite OTP MFA being enabled on accounts. Researchers suspect that this may be achieved through the use of previously stolen OTP seeds, although the exact method remains unconfirmed.
In July, BleepingComputer reported that the Akira ransomware operation was exploiting SonicWall SSL VPN devices to breach corporate networks, leading researchers to suspect that a zero-day flaw was being exploited to compromise these devices.
However, SonicWall ultimately linked the attacks to an improper access control flaw tracked as CVE-2024-40766 that was disclosed in Sep
Bleepingcomputer
SonicWall releases SMA100 firmware update to wipe rootkit malware
blogs_bleepingcomputer·2025-09-23
SonicWall releases SMA100 firmware update to wipe rootkit malware
## SonicWall releases SMA100 firmware update to wipe rootkit malware
## Sergiu Gatlan
SonicWall has released a firmware update that can help customers remove rootkit malware deployed in attacks targeting SMA 100 series devices.
"SonicWall SMA 100 10.2.2.2-92sv build has been released with additional file checking, providing the capability to remove known rootkit malware present on the SMA devices," the company said in a Monday advisory .
"SonicWall strongly recommends that users of the SMA 100 series products (SMA 210, 410, and 500v) upgrade to the 10.2.2.2-92sv version."
The update follows a July report from researchers at the Google Threat Intelligence Group (GTIG), who observed a threat actor tracked as UNC6148 deploying OVERSTEP malware on end-of-life (EoL) SonicWall SMA 100 devic
Bleepingcomputer
WatchGuard warns of critical vulnerability in Firebox firewalls
blogs_bleepingcomputer·2025-09-18·CVSS 9.3
CVE-2025-9242 [CRITICAL] WatchGuard warns of critical vulnerability in Firebox firewalls
## WatchGuard warns of critical vulnerability in Firebox firewalls
## Sergiu Gatlan
WatchGuard has released security updates to address a remote code execution vulnerability impacting the company's Firebox firewalls.
Tracked as CVE-2025-9242, this critical security flaw is caused by an out-of-bounds write weakness that can allow attackers to execute malicious code remotely on vulnerable devices following successful exploitation.
CVE-2025-9242 affects firewalls running Fireware OS 11.x (end of life), 12.x, and 2025.1, and was fixed in versions 12.3.1_Update3 (B722811), 12.5.13, 12.11.4, and 2025.1.1.
While Firebox firewalls are only vulnerable to attacks if they are configured to use IKEv2 VPN, WatchGuard added that they may still be at risk of compromise, even if the vulnerable config
Bleepingcomputer
SonicWall warns customers to reset credentials after breach
blogs_bleepingcomputer·2025-09-17
SonicWall warns customers to reset credentials after breach
## SonicWall warns customers to reset credentials after breach
## Sergiu Gatlan
SonicWall warned customers today to reset credentials after their firewall configuration backup files were exposed in a security breach that impacted MySonicWall accounts.
After detecting the incident, SonicWall has cut off the attackers' access to its systems and has been collaborating with cybersecurity and law enforcement agencies to investigate the attack's impact.
"As part of our commitment to transparency, we are notifying you of an incident that exposed firewall configuration backup files stored in certain MySonicWall accounts," the cybersecurity company said on Wednesday. "Access to the exposed firewall configuration files contain information that could make exploitation of firewalls significantly e
Checkpoint
15th September – Threat Intelligence Report
blogs_checkpoint·2025-09-15
CVE-2025-55234 15th September – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 15th September – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 15th September, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Panama’s Ministry of Economy and Finance (MEF) was hit by a ransomware attack that resulted in the theft of more than 1.5TB of data, including emails, financial documents, and budgeting details. The compromised information exposes sensitive institutional records tied to the country’s fiscal operations and management.
Bleepingcomputer
Akira ransomware exploiting critical SonicWall SSLVPN bug again
blogs_bleepingcomputer·2025-09-11·CVSS 9.8
CVE-2024-40766 [CRITICAL] Akira ransomware exploiting critical SonicWall SSLVPN bug again
## Akira ransomware exploiting critical SonicWall SSLVPN bug again
## Bill Toulas
The Akira ransomware gang is actively exploiting CVE-2024-40766, a year-old critical-severity access control vulnerability, to gain unauthorized access to SonicWall devices.
The hackers are leverging the security issue to gain access to target networks via unpatched SonicWall SSL VPN endpoints.
SonicWall released a patch for CVE-2024-40766 last year in August, marking it as actively exploited. The flaw allows unauthorized resource access and can cause firewall crashes.
At the time, SonicWall strongly recommended that applying the update should be accompanied by a password reset for users with locally managed SSLVPN accounts.
Without rotating the passwords after the update, threat actors could use expose
Huntress
Active Exploitation of SonicWall VPNs
blogs_huntress·2025-08-13·CVSS 9.8
[CRITICAL] Active Exploitation of SonicWall VPNs
Update #4: 8/13/25 @ 5pm ET
Updated to note the use of the -dellog argument in Akira attacks as a way to clear event logs (see “Akira Ransomware Invocation” section); updated IoC table with additional hashes.
Update #3: 8/8/25 @ 5pm ET
A recent report by GuidePoint Security pointed to multiple SonicWall-related incidents where threat actors have installed two legitimate Windows drivers— rwdrv.sys and hlpdrv.sys —in Bring Your Own Vulnerable Driver (BYOVD) attacks, with the end goal of evading or disabling security tools.
From our vantage point, we can confirm that we have also detected these drivers across multiple incidents linked to Akira ransomware. In one of these incidents, on July 25, we detected an intrusion where activity originated from a SonicWall device. Here, the threat ac
Bleepingcomputer
SonicWall finds no SSLVPN zero-day, links ransomware attacks to 2024 flaw
blogs_bleepingcomputer·2025-08-07·CVSS 9.8
CVE-2024-40766 [CRITICAL] SonicWall finds no SSLVPN zero-day, links ransomware attacks to 2024 flaw
## SonicWall finds no SSLVPN zero-day, links ransomware attacks to 2024 flaw
## Bill Toulas
SonicWall says that recent Akira ransomware attacks exploiting Gen 7 firewalls with SSLVPN enabled are exploiting an older vulnerability rather than a zero-day flaw.
The company says that the attackers are targeting CVE-2024-40766, an unauthorized access flaw fixed in August 2024.
"We now have high confidence that the recent SSLVPN activity is not connected to a zero-day vulnerability," reads the update on the SonicWall bulletin published this week.
"Instead, there is a significant correlation with threat activity related to CVE-2024-40766, which was previously disclosed and documented in our public advisory SNWLID-2024-0015 ."
CVE‑2024‑40766 is a critical SSLVPN access control flaw in SonicOS
Tenable
SonicWall Gen 7 Firewall SSLVPN Ransomware Possible Zero-Day | Tenable®
blogs_tenable·2025-08-05
SonicWall Gen 7 Firewall SSLVPN Ransomware Possible Zero-Day | Tenable®
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Verizon 2025 DBIR: Tenable Research Collaboration Shines a Spotlight on CVE Remediation Trends
blogs_tenable·2025-04-23
Verizon 2025 DBIR: Tenable Research Collaboration Shines a Spotlight on CVE Remediation Trends
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Securelist
Non-mobile threat statistics for Q3 2024
blogs_securelist·2024-11-29
Non-mobile threat statistics for Q3 2024
Table of Contents
- Quarterly figures
- Ransomware
- Miners
- Attacks on macOS
- IoT threat statistics
- Attacks via web resources
- Local threats
Authors
- AMR
IT threat evolution in Q3 2024
IT threat evolution in Q3 2024. Non-mobile statistics
IT threat evolution in Q3 2024. Mobile statistics
The statistics presented here are based on detection verdicts by Kaspersky products and services received from users who consented to providing statistical data.
## Quarterly figures
In Q3 2024:
- Kaspersky solutions successfully blocked more than 652 million cyberattacks originating from various online resources.
- Web Anti-Virus detected 109 million unique links.
- File Anti-Virus blocked more than 23 million malicious and potentially unwanted objects.
- More than 90,000 users experience
Securelist
IT threat evolution in Q3 2024. Non-mobile statistics
blogs_securelist·2024-11-29
IT threat evolution in Q3 2024. Non-mobile statistics
Table of Contents
Quarterly figures
Ransomware
Quarterly trends and highlights
Progress in law enforcement
Vulnerability exploitation attacks
High-profile incidents
The most prolific groups
Number of new modifications
Number of users attacked by ransomware Trojans
Geography of attacked users
TOP 10 countries attacked by ransomware Trojans
TOP 10 most common families of ransomware Trojans
Miners
Number of new modifications
Users attacked by miners
Geography of miner attacks
TOP 10 countries attacked by miners
Attacks on macOS
TOP 20 threats to macOS
Geography of threats to macOS
TOP 10 countries and territories by share of attacked users
IoT threat statistics
TOP 10 threats downloaded to IoT devices:
Attacks on IoT honeypots
Attacks via web resources
Countries that
Bleepingcomputer
Fog ransomware targets SonicWall VPNs to breach corporate networks
blogs_bleepingcomputer·2024-10-27·CVSS 9.8
CVE-2024-40766 [CRITICAL] Fog ransomware targets SonicWall VPNs to breach corporate networks
## Fog ransomware targets SonicWall VPNs to breach corporate networks
## Bill Toulas
Fog and Akira ransomware operators are increasingly breaching corporate networks through SonicWall VPN accounts, with the threat actors believed to be exploiting CVE-2024-40766, a critical SSL VPN access control flaw.
SonicWall fixed the SonicOS flaw in late August 2024, and roughly a week later, it warned that it was already under active exploitation.
At the same time, Arctic Wolf security researchers reported seeing Akira ransomware affiliates leveraging the flaw to gain initial access to victim networks.
A new report by Arctic Wolf warns that Akira and the Fog ransomware operation have conducted at least 30 intrusions that all started with remote access to a network through SonicWall VPN accounts.
Talos
Akira ransomware continues to evolve
blogs_talos·2024-10-21
Akira ransomware continues to evolve
## Akira ransomware continues to evolve
Akira continues to cement its position as one of the most prevalent ransomware operations in the threat landscape, according to Cisco Talos’ findings and analysis.
Their success is partly due to the fact that they are constantly evolving. For example, after Akira already developed a new version of their ransomware encryptor earlier in the year, we just recently observed another novel iteration of the encryptor targeting Windows and Linux hosts alike.
Previously, Akria typically employed a double-extortion tactic in which critical data is exfiltrated prior to the compromised victim systems becoming encrypted. Beginning in early 2024, Akira appeared to be sidelining the encryption tactics, focusing on data exfiltration only. We assess with low to mo
Talos
Akira ransomware continues to evolve
blogs_talos·2024-10-21
Akira ransomware continues to evolve
Akira continues to cement its position as one of the most prevalent ransomware operations in the threat landscape, according to Cisco Talos’ findings and analysis.
Their success is partly due to the fact that they are constantly evolving. For example, after Akira already developed a new version of their ransomware encryptor earlier in the year, we just recently observed another novel iteration of the encryptor targeting Windows and Linux hosts alike.
Previously, Akria typically employed a double-extortion tactic in which critical data is exfiltrated prior to the compromised victim systems becoming encrypted. Beginning in early 2024, Akira appeared to be sidelining the encryption tactics, focusing on data exfiltration only. We assess with low to moderate confidence that this shift was due
Wiz
Crying Out Cloud - October 2024 Newsletter | Wiz
blogs_wiz·2024-10-01·CVSS 9.0
CVE-2024-0132 [CRITICAL] Crying Out Cloud - October 2024 Newsletter | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's dive in.
Here are our top picks!
## 🔍 Highlights
Critical Vulnerability in NVIDIA Container Toolkit
Wiz Research uncovered a critical vulnerability, CVE-2024-0132, in the widely used NVIDIA Container Toolkit. The vulnerability allows attackers with control over a container image to escape the container and gain full access to the underlying host. It is strongly recommended to update the affected package to the latest version 1.16.2, while focusing on container hosts that might run untrusted container images.
According to Wiz data, 33% of cloud environments are impacted by CVE-2024-0132.
Learn more in our blog .
## 🐞 High Profile Vulnerab
Bleepingcomputer
Critical SonicWall SSLVPN bug exploited in ransomware attacks
blogs_bleepingcomputer·2024-09-09·CVSS 9.8
CVE-2024-40766 [CRITICAL] Critical SonicWall SSLVPN bug exploited in ransomware attacks
## Critical SonicWall SSLVPN bug exploited in ransomware attacks
## Sergiu Gatlan
Ransomware affiliates exploit a critical security vulnerability in SonicWall SonicOS firewall devices to breach victims' networks.
Tracked as CVE-2024-40766, this improper access control flaw affects Gen 5, Gen 6, and Gen 7 firewalls. SonicWall patched it on August 22 and warned that it only impacted the firewalls' management access interface.
However, on Friday, SonicWall revealed that the security vulnerability also impacted the firewall's SSLVPN feature and was now being exploited in attacks. The company warned customers to "apply the patch as soon as possible for affected products" without sharing details regarding in-the-wild exploitation.
The same day, Arctic Wolf security researchers linked the at
Bleepingcomputer
SonicWall SSLVPN access control flaw is now exploited in attacks
blogs_bleepingcomputer·2024-09-06·CVSS 9.8
CVE-2024-40766 [CRITICAL] SonicWall SSLVPN access control flaw is now exploited in attacks
## SonicWall SSLVPN access control flaw is now exploited in attacks
## Bill Toulas
SonicWall is warning that a recently fixed access control flaw tracked as CVE-2024-40766 in SonicOS is now "potentially" exploited in attacks, urging admins to apply patches as soon as possible.
"This vulnerability is potentially being exploited in the wild. Please apply the patch as soon as possible for affected products. The latest patch builds are available for download on mysonicwall.com ," warns the updated SonicWall advisory .
CVE-2024-40766 is a critical (CVSS v3 score: 9.3) access control flaw impacting SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices.
The software vendor did not disclose much information about the flaw other than its potential for unauthorized resource acces
Checkpoint
2nd September – Threat Intelligence Report
blogs_checkpoint·2024-09-02
CVE-2024-6386 2nd September – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 2nd September – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 26th August, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
California-based Patelco Credit Union has confirmed a data breach following a ransomware attack resulted in the exposure of sensitive personal information belongs to 726K clients and employees. The compromised data includes names, Social Security numbers, driver’s license numbers, dates of birth, and email addresses. The
Bleepingcomputer
SonicWall warns of critical access control flaw in SonicOS
blogs_bleepingcomputer·2024-08-26·CVSS 9.8
CVE-2024-40766 [CRITICAL] SonicWall warns of critical access control flaw in SonicOS
## SonicWall warns of critical access control flaw in SonicOS
## Bill Toulas
SonicWall's SonicOS is vulnerable to a critical access control flaw that could allow attackers to gain access unauthorized access to resources or cause the firewall to crash.
The flaw has received the identifier CVE-2024-40766 and a severity score of 9.3 according to the CVSS v3 standard, based on its network-based attack vector, low complexity, no authentication, and no user interaction requirements.
"An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash," reads SonicWall's bulletin .
"This issue affects SonicWall Firewall Gen 5 and Gen 6 devices, as
Crowdstrike
What is Fog Ransomware?
blogs_crowdstrike
What is Fog Ransomware?
Upcoming events
Conference
CrowdTour
Find a city near you
Your Cart
Added to Cart
There's nothing in your cart
per endpoint / per year
per endpoint / per month
Login
Login
Experienced a breach?
Contact us
## What is Fog ransomware?
Fog Ransomware is a new ransomware variant first detected in May 2024. This emerging ransomware threat uses compromised virtual private network (VPN) credentials or system vulnerabilities to gain access to an organization’s network and rapidly encrypt data in an attempt to earn quick payouts.
Fog attacks mirror traditional ransomware attacks in that they follow the standard attack path of enumeration, lateral movement, encryption and extortion. However, unlike most ransomware attacks, early Fog incidents did not exfiltrate data, indicating that
Crowdstrike
What is Fog Ransomware?
blogs_crowdstrike
What is Fog Ransomware?
Upcoming events
Conference
CrowdTour
Find a city near you
Summit
Day Zero 2026
Las Vegas, NV
Login
Your Cart
Added to Cart
There's nothing in your cart
per endpoint / per year
per endpoint / per month
Login
Experienced a breach?
Blog
Contact us
Careers
Latest Innovations
## What is Fog ransomware?
Fog Ransomware is a new ransomware variant first detected in May 2024. This emerging ransomware threat uses compromised virtual private network (VPN) credentials or system vulnerabilities to gain access to an organization’s network and rapidly encrypt data in an attempt to earn quick payouts.
Fog attacks mirror traditional ransomware attacks in that they follow the standard attack path of enumeration, lateral movement, encryption and extortion. However, unlike most ransomwa
Crowdstrike
What is Fog Ransomware?
blogs_crowdstrike
What is Fog Ransomware?
Upcoming events
Conference
CrowdTour
Find a city near you
Login
Your Cart
Added to Cart
There's nothing in your cart
per endpoint / per year
per endpoint / per month
Login
Experienced a breach?
Contact us
## What is Fog ransomware?
Fog Ransomware is a new ransomware variant first detected in May 2024. This emerging ransomware threat uses compromised virtual private network (VPN) credentials or system vulnerabilities to gain access to an organization’s network and rapidly encrypt data in an attempt to earn quick payouts.
Fog attacks mirror traditional ransomware attacks in that they follow the standard attack path of enumeration, lateral movement, encryption and extortion. However, unlike most ransomware attacks, early Fog incidents did not exfiltrate data, indicating that
Huntress
Active Exploitation of SonicWall VPNs | Huntress
blogs_huntress·CVSS 9.8
[CRITICAL] Active Exploitation of SonicWall VPNs | Huntress
Update #4: 8/13/25 @ 5pm ET
Updated to note the use of the -dellog argument in Akira attacks as a way to clear event logs (see “Akira Ransomware Invocation” section); updated IoC table with additional hashes.
Update #3: 8/8/25 @ 5pm ET
A recent report by GuidePoint Security pointed to multiple SonicWall-related incidents where threat actors have installed two legitimate Windows drivers—rwdrv.sys and hlpdrv.sys—in Bring Your Own Vulnerable Driver (BYOVD) attacks, with the end goal of evading or disabling security tools.
From our vantage point, we can confirm that we have also detected these drivers across multiple incidents linked to Akira ransomware. In one of these incidents, on July 25, we detected an intrusion where activity originated from a SonicWall device. Here, the threat acto
2024-08-23
Published
2024-09-09
Added to CISA KEV
Exploited in the wild