SonicWall has attributed a recent series of ransomware attacks on its Gen 7 firewalls not to a new zero-day vulnerability, but to a previously patched, year-old flaw. This assertion comes as a response to initial reports from third-party researchers who suspected a new, unpatched vulnerability was the cause of the attacks. The company’s investigation has concluded with “high confidence” that the attacks are linked to CVE-2024-40766, a critical improper access control vulnerability disclosed and patched in August 2024.
The vulnerability, which has a CVSS score of 9.8, affects the SonicOS network security operating system. It allows unauthorized access to vulnerable endpoints, enabling attackers to gain control and deploy ransomware. The current spree of attacks, which began in mid-July and has affected fewer than 40 organizations, appears to be leveraging this flaw, particularly in instances where customers have migrated from older Gen 6 firewalls to newer Gen 7 models without properly resetting passwords. According to SonicWall, carrying over local user passwords during the migration process has left a significant number of devices susceptible to brute-force and credential stuffing attacks.
While SonicWall has been firm in its stance, the company’s claims have been met with some skepticism from the cybersecurity community. Some researchers have reported compromises in environments with recently rotated credentials or on new Gen 7 installs, suggesting the attacks may be more complex than simply exploiting old passwords. However, SonicWall’s updated guidance to customers is clear: change all local user account passwords, especially those used for SSLVPN, and update to SonicOS 7.3.0 or a later firmware version. The new firmware includes enhanced protections against brute-force attacks and improved multi-factor authentication (MFA) controls. SonicWall had previously advised customers to disable SSLVPN on Gen 7 firewalls, but this latest guidance focuses on remediation through patching and credential management. This incident serves as a stark reminder of the importance of timely patching and the dangers of neglecting recommended security practices, even for vulnerabilities that are a year old.
