SonicWall customers have been urged to patch a critical vulnerability in their firewalls after security researchers warned it is being actively exploited in ransomware attacks.
The CVSS 9.3-rated vulnerability (CVE-2024-40766) was originally published on August 22 by the security vendor, before an update on September 6 claimed it was being actively exploited.
“An improper access control vulnerability has been identified in the SonicWall SonicOS management access and SSLVPN, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash,” the advisory noted.
“This issue affects SonicWall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions. This vulnerability is potentially being exploited in the wild. Please apply the patch as soon as possible for affected products.”
Read more on SonicWall bugs: SonicWall Probes Attack Using Zero-Days in Own Products
Arctic Wolf senior threat intelligence researcher, Stefan Hostetler, claimed in a blog post on Friday that Akira ransomware affiliates had compromised SSLVPN accounts on SonicWall devices as an initial access vector for their attacks.
“In each instance, the compromised accounts were local to the devices themselves rather than being integrated with a centralized authentication solution such as Microsoft Active Directory,” he added. “Additionally, [multi-factor authentication] MFA was disabled for all compromised accounts, and the SonicOS firmware on the affected devices were within the versions known to be vulnerable to CVE-2024-40766.”
As well as upgrading to the latest SonicOS firmware and switching on MFA for locally managed SSLVPN accounts, Hostetler urged Gen5 and Gen6 device owners/administrators to update their passwords for each account.
Researchers at Rapid7 have also been monitoring the situation and noted likely threat activity linked to CVE-2024-40766.
“As of September 9 2024, Rapid7 is aware of several recent incidents (both external and Rapid7-observed) in which SonicWall SSLVPN accounts were targeted or compromised, including by ransomware groups,” it explained.
“Evidence linking CVE-2024-40766 to these incidents is still circumstantial, but given adversary interest in the software in general, Rapid7 strongly recommends remediating on an emergency basis. Vulnerabilities like CVE-2024-40766 are frequently used for initial access to victim environments.”
On Monday, the flaw was added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog, with federal agencies given a deadline of September 30 to patch.