CISA confirms that SonicWall vulnerability is getting exploited (CVE-2024-40766)
The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-40766 – a recently fixed improper access control vulnerability affecting SonicWall’s firewalls – to its Known Exploited Vulnerabilities catalog, thus confirming it is being actively exploited by attackers.
Though the KEV entry does not say that it’s being leveraged in ransomware campaigns, both Arctic Wolf and Rapid7 say that there is indirect evidence pointing to that.
What we know so far
On the same day that SonicWall amended its security advisory to say that CVE-2024-40766 is “potentially being exploited in the wild” and to say that the vulnerability affects the SSLVPN feature as well as the devices’ management access, Arctic Wolf researcher Stefan Hostetler shared that they have observed Akira ransomware affiliates carrying out attacks with an initial access vector involving the compromise of SSLVPN user accounts on SonicWall devices.
“In each instance, the compromised accounts were local to the devices themselves rather than being integrated with a centralized authentication solution such as Microsoft Active Directory. Additionally, MFA was disabled for all compromised accounts, and the SonicOS firmware on the affected devices were within the versions known to be vulnerable to CVE-2024-40766,” he noted.
Rapid7 chimed in on Monday by saying that “as of September 9, 2024, Rapid7 is aware of several recent incidents (both external and Rapid7-observed) in which SonicWall SSLVPN accounts were targeted or compromised, including by ransomware groups.”
“Vulnerabilities like CVE-2024-40766 are frequently used for initial access to victim environments,” the company said, and though evidence linking CVE-2024-40766 to these incidents is still circumstantial, they advised admins to immediately mitigate the threat of exploitation by upgrading to the latest SonicOS firmware version or restricting firewall management and SSLVPN access to trusted sources and disabling internet access whenever possible.
“SonicWall strongly advises that customers using GEN5 and GEN6 firewalls with SSLVPN users who have locally managed accounts immediately update their passwords to enhance security and prevent unauthorized access,” SonicWall also noted, and recommends admins to enable multi-factor authentication for all SSLVPN users.