Attackers did not take advantage of the zero-day vulnerability to breach Gen 7 firewalls, enhancing SEO performance.

Akira ransomware affiliates are not exploiting an unknown, zero-day vulnerability in SonicWall Gen 7 firewalls to infiltrate corporate networks, as confirmed by the security vendor. Instead, there is a significant correlation with threat activity related to CVE-2024-40766, which has been previously disclosed in their public advisory. Since July 15, 2025, researchers have noted a marked increase in ransomware activity targeting SonicWall firewalls, particularly through their SSL VPN functionality. Initial assumptions suggested that attackers might be leveraging a zero-day vulnerability, given that fully patched SonicWall devices were compromised even after credential rotation and the implementation of time-based one-time password (TOTP) multi-factor authentication (MFA). A SonicWall spokesperson reported fewer than 40 confirmed cases, indicating that the attacks are likely linked to legacy credential usage during migrations from Gen 6 to Gen 7 firewalls, where local user passwords were not reset as advised.

To mitigate these risks, SonicWall has released newer versions of SonicOS, with SonicOS 7.3 offering enhanced protection against brute-force password and MFA attacks. This version includes features such as admin/user lockout, which is enabled by default but requires configuration, and password complexity enforcement, which must be activated by administrators. Organisations using Gen 7 firewalls are urged to upgrade to SonicOS 7.3.0 and reset all local user account passwords for any accounts with SSL VPN access. Additionally, they should consider enabling available protections like Botnet Protection and Geo-IP Filtering, remove unused user accounts, and enforce strong password policies alongside MFA. Huntress researchers have identified around 20 attacks with notable similarities and differences, sharing indicators of compromise and detailing the various actions and tools employed by the attackers. 

Categories: Ransomware Activity, Vulnerability Management, Mitigation Strategies 

Tags: Akira, Ransomware, SonicWall, Vulnerability, CVE-2024-40766, SSL VPN, Multi-Factor Authentication, Firmware, Mitigation, Cybersecurity