The Akira ransomware gang exploited a critical **CVE-2024-40766** (CVSS 9.8) vulnerability in SonicWall’s SSLVPN appliances, a flaw originally disclosed in August 2024 but left unpatched by many organizations. Over **438,000 SonicWall devices remained publicly exposed**, enabling attackers to gain unauthorized access via misconfigurations, legacy credentials, and improper LDAP group settings. Akira and other ransomware groups (e.g., Fog) used this to encrypt systems within **10 hours of initial access**, leading to widespread disruptions. Rapid7 reported **double-digit incidents** among its customers, while SonicWall confirmed **fewer than 40 cases** in early August 2025—though the actual impact is likely higher due to underreporting. The attacks leveraged **default Virtual Office portal configurations**, allowing MFA bypasses if credentials were previously exposed. Organizations failing to apply patches, enforce MFA, or restrict portal access faced **full-system encryption**, operational outages, and potential **data exfiltration**, threatening business continuity. The persistent exploitation highlights systemic negligence in mitigating known vulnerabilities, amplifying the risk of **financial losses, reputational damage, and regulatory penalties** for affected entities.
Source: https://www.theregister.com/2025/09/10/akira_ransomware_abusing_sonicwall/
TPRM report: https://www.rankiteo.com/company/sonicwall
"id": "son2902029091125",
"linkid": "sonicwall",
"type": "Ransomware",
"date": "8/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'location': 'global',
'name': 'SonicWall customers (hundreds of Rapid7 '
'clients affected)',
'type': ['private organizations', 'enterprises']},
{'location': 'global',
'name': 'At least 100 organizations (2024-09 to '
'2024-12)',
'type': ['private organizations', 'enterprises']},
{'location': 'global',
'name': '<40 confirmed cases (as of early August 2025)',
'type': ['private organizations', 'enterprises']}],
'attack_vector': ['exploitation of CVE-2024-40766 (improper access control)',
'SSLVPN misconfigurations',
'default LDAP group over-provisioning',
'Virtual Office portal public access',
'legacy credential abuse'],
'customer_advisories': ['Patch immediately',
'Enable MFA',
'Restrict Virtual Office portal access'],
'data_breach': {'data_encryption': 'full system encryption (ransomware)'},
'date_detected': '2024-09-01',
'date_publicly_disclosed': '2024-08-01',
'description': 'Affiliates of the Akira ransomware gang are exploiting a '
'critical SonicWall vulnerability (CVE-2024-40766, CVSS 9.8) '
'originally disclosed in August 2024, along with SSLVPN '
'misconfigurations and default LDAP group settings. The '
'attacks target unpatched SonicWall devices, with over 438,000 '
'devices still publicly accessible. Akira and Fog ransomware '
'groups have used this flaw since late 2024, gaining initial '
'access and encrypting systems in under 10 hours in some '
'cases. SonicWall confirmed fewer than 40 cases as of early '
'August 2025, linked to legacy credential use during firewall '
'migrations. Rapid7 and other security firms warn of '
'widespread industry impact, urging patches, MFA enforcement, '
'and Virtual Office portal restrictions.',
'impact': {'brand_reputation_impact': 'high (publicized vulnerability '
'exploitation)',
'downtime': '<10 hours (encryption timeframe in some cases)',
'operational_impact': 'potential widespread disruption (438,000+ '
'devices exposed)',
'systems_affected': 'SonicWall firewall devices (Gen 6/Gen 7), '
'SSLVPN services, Virtual Office portal'},
'initial_access_broker': {'entry_point': ['CVE-2024-40766 exploitation',
'SSLVPN misconfigurations',
'legacy credentials',
'Virtual Office portal public '
'access'],
'high_value_targets': 'SonicWall firewall/VPN '
'devices'},
'investigation_status': 'ongoing (SonicWall investigating additional '
'exploitation as of 2025-08)',
'lessons_learned': 'Legacy credentials and misconfigurations (e.g., default '
'LDAP groups, public Virtual Office portal access) '
'significantly increase risk even after patching. Rapid '
'encryption (<10 hours) underscores the need for immediate '
'mitigation. MFA and network access restrictions are '
'critical supplementary controls.',
'motivation': 'financial gain (ransomware)',
'post_incident_analysis': {'corrective_actions': ['Mandatory patching with '
'verification',
'MFA enforcement for all '
'SonicWall services',
'Network segmentation for '
'VPN portals',
'Credential hygiene audits',
'Dark web monitoring for '
'exposed credentials'],
'root_causes': ['Unpatched CVE-2024-40766 (known '
'since August 2024)',
'Default LDAP group '
'over-provisioning',
'Publicly accessible Virtual '
'Office portal',
'Legacy credential reuse during '
'migrations',
'Insufficient MFA enforcement']},
'ransomware': {'data_encryption': True, 'ransomware_strain': ['Akira', 'Fog']},
'recommendations': ['Apply SonicWall patches for CVE-2024-40766 immediately',
'Upgrade to SonicOS 7.3.0 with enhanced MFA protections',
'Rotate legacy credentials, especially during Gen 6→Gen 7 '
'firewall migrations',
'Disable default LDAP group configurations to prevent '
'over-provisioning',
'Restrict Virtual Office portal access to internal '
'networks only',
'Monitor for anomalous VPN logins (e.g., via '
'Rapid7/Arctic Wolf)',
'Assume compromise if unpatched; conduct thorough '
'incident response'],
'references': [{'date_accessed': '2025-08-07', 'source': 'The Register'},
{'date_accessed': '2025-08-07', 'source': 'Rapid7 Advisory'},
{'date_accessed': '2024-08-01',
'source': 'SonicWall Public Advisory (SNLWID-2024-0015)'},
{'date_accessed': '2025-08-07',
'source': 'Bitsight Research (Emma Stevens)'},
{'date_accessed': '2025-07-22',
'source': 'ThreatLocker/Arctic Wolf Alerts'}],
'response': {'communication_strategy': ['SonicWall public advisory '
'(SNLWID-2024-0015)',
'Rapid7 customer notifications',
'media alerts via The Register'],
'containment_measures': ['patching CVE-2024-40766',
'credential rotation',
'upgrading to SonicOS 7.3.0'],
'incident_response_plan_activated': True,
'remediation_measures': ['enforcing MFA for SonicWall services',
'restricting Virtual Office portal '
'access to internal networks',
'disabling default LDAP group '
'configurations'],
'third_party_assistance': ['Rapid7',
'ThreatLocker',
'Arctic Wolf']},
'stakeholder_advisories': ['SonicWall updated mitigation guidance',
'Rapid7 customer notifications'],
'threat_actor': ['Akira ransomware gang', 'Fog ransomware gang'],
'title': 'Akira Ransomware Exploits Critical SonicWall Vulnerability '
'(CVE-2024-40766) in Ongoing Attacks',
'type': ['ransomware', 'unauthorized access', 'exploitation of vulnerability'],
'vulnerability_exploited': ['CVE-2024-40766 (SonicWall improper access '
'control, CVSS 9.8)',
'SonicWall SSLVPN misconfigurations',
'default LDAP group configurations',
'Virtual Office portal public access']}