CVE-2024-40766: The Patch Fixed the Bug. Nobody Fixed the Configuration.
Strategic summary
The vulnerability CVE-2024-40766 (CVSS 9.3) disclosed in August 2024 affects SonicOS management and SSLVPN services and continues to be actively exploited by ransomware groups like Akira and Fog despite available patches. A separate breach of the MySonicWall service exposed configuration backups containing encrypted credentials, facilitating compromise of SSLVPN accounts. Additionally, a new vulnerability (CVE-2024-12802) enabling MFA bypass has been observed in the wild since early 2026. Organizations must urgently update their SonicWall devices, reset local passwords, and restrict management interface access.
Key findings
- CVE-2024-40766 is a critical access control vulnerability in SonicOS affecting Gen 5, 6, and 7 firewalls, enabling unauthorized access and device crashes.
- Ransomware groups Akira and Fog have been actively exploiting this flaw since 2024, with escalation in mid-2025 and continued attacks into 2026: compromising SSLVPN accounts with short dwell times.
- A separate MySonicWall breach exposed all configuration backups, providing attackers with encrypted credentials and enabling rapid SSLVPN account takeover without brute-forcing.
- CVE-2024-12802, an authentication bypass vulnerability, has been exploited in the wild since February 2026 to circumvent MFA using previously obtained credentials.
- Immediate patching, resetting all local passwords, and restricting management access are critical to mitigate risk.
Relevance for you
The vulnerability is actively exploited and demonstrates a typical gap between patch availability and user configuration; exploitation waves in July-August 2025 indicate ransomware campaigns (including Akira) combining a firewall vulnerability with weak configuration practices.
Mentioned CVEs
Risk score
- cvss base
- 98.00
- kev bonus
- 20.00
- epss bonus
- 0.00
- poc bonus
- 15.00
- raw before weight
- 133.00
- industry weight
- 1.10
- freshness factor
- 1.00
- exploitability factor
- 1.00
- days old
- 0.00
- vendor mismatch penalty
- 0.00
- consensus penalty
- -8.00
Path: operational
Consensus check
The pipeline self-checks before delivery. These rules lowered the score:
-
VENDOR_MISMATCHVendor not found in alert title −5 -
CVE_ABSENTTitle-claimed CVE missing from description −3
- Consensus penalty:
- −8.0
- Total penalty:
- −8.0
MITRE ATT&CK mapping
5 TTPsProcedure details
| Technique | Tactic | Procedure | Conf. | Source |
|---|---|---|---|---|
| T1190 Exploit Public-Facing Application | Initial Access | Akira and Fog ransomware groups exploited CVE-2024-40766, an improper access control vulnerability in SonicWall SonicOS, to gain unauthorized access to SonicWall firewalls through the management interface and SSLVPN service on Gen 5, Gen 6, and Gen 7 devices. | high | llm |
| T1133 External Remote Services | Initial Access | Attackers targeted SonicWall SSLVPN services exposed to the internet, which many organizations used as their sole remote access method, with at least 48,933 devices publicly exposed and unpatched as of December 2024. | high | llm |
| T1078 Valid Accounts | Defense Evasion | Attackers leveraged compromised SSLVPN accounts on vulnerable SonicWall devices, including local accounts with no AD counterpart and accounts inheriting VPN access via misconfigured LDAP Default User Group assignments, to maintain access post-exploitation. | high | llm |
| T1486 Data Encrypted for Impact | Impact | Akira and Fog ransomware groups used access gained through CVE-2024-40766 exploitation as an entry point to deploy ransomware against victim organizations, with compromised organizations appearing on Akira and Fog leak sites. | high | llm |
| T1098 Account Manipulation | Persistence | Attackers created or manipulated local SSLVPN accounts on SonicWall devices, including accounts with non-printable or unusual characters in usernames that had no Active Directory counterpart, to maintain persistent access. | medium | llm |