Skip to content
Auto-CTI
Back to all deep dives
SANS INTERNET STORM CENTER, INFOCON: GREEN

CVE-2024-40766: The Patch Fixed the Bug. Nobody Fixed the Configuration.

KEV HIGH firewall improper-access-control active-exploitation sslvpn

Strategic summary

The vulnerability CVE-2024-40766 (CVSS 9.3) disclosed in August 2024 affects SonicOS management and SSLVPN services and continues to be actively exploited by ransomware groups like Akira and Fog despite available patches. A separate breach of the MySonicWall service exposed configuration backups containing encrypted credentials, facilitating compromise of SSLVPN accounts. Additionally, a new vulnerability (CVE-2024-12802) enabling MFA bypass has been observed in the wild since early 2026. Organizations must urgently update their SonicWall devices, reset local passwords, and restrict management interface access.

Key findings

  • CVE-2024-40766 is a critical access control vulnerability in SonicOS affecting Gen 5, 6, and 7 firewalls, enabling unauthorized access and device crashes.
  • Ransomware groups Akira and Fog have been actively exploiting this flaw since 2024, with escalation in mid-2025 and continued attacks into 2026: compromising SSLVPN accounts with short dwell times.
  • A separate MySonicWall breach exposed all configuration backups, providing attackers with encrypted credentials and enabling rapid SSLVPN account takeover without brute-forcing.
  • CVE-2024-12802, an authentication bypass vulnerability, has been exploited in the wild since February 2026 to circumvent MFA using previously obtained credentials.
  • Immediate patching, resetting all local passwords, and restricting management access are critical to mitigate risk.

Relevance for you

The vulnerability is actively exploited and demonstrates a typical gap between patch availability and user configuration; exploitation waves in July-August 2025 indicate ransomware campaigns (including Akira) combining a firewall vulnerability with weak configuration practices.

Mentioned CVEs

Risk score

Review required 71
cvss base
98.00
kev bonus
20.00
epss bonus
0.00
poc bonus
15.00
raw before weight
133.00
industry weight
1.10
freshness factor
1.00
exploitability factor
1.00
days old
0.00
vendor mismatch penalty
0.00
consensus penalty
-8.00

Path: operational

Consensus check

The pipeline self-checks before delivery. These rules lowered the score:

  • VENDOR_MISMATCH Vendor not found in alert title −5
  • CVE_ABSENT Title-claimed CVE missing from description −3
Consensus penalty:
−8.0
Total penalty:
−8.0

MITRE ATT&CK mapping

5 TTPs
Recon
Resource Dev
Execution
Priv. Escal.
Cred. Access
Discovery
Lateral Mov.
Collection
C2
Exfiltration
Conf.: high medium low

Procedure details

Technique Tactic Procedure Conf. Source
T1190
Exploit Public-Facing Application
Initial Access Akira and Fog ransomware groups exploited CVE-2024-40766, an improper access control vulnerability in SonicWall SonicOS, to gain unauthorized access to SonicWall firewalls through the management interface and SSLVPN service on Gen 5, Gen 6, and Gen 7 devices. high llm
T1133
External Remote Services
Initial Access Attackers targeted SonicWall SSLVPN services exposed to the internet, which many organizations used as their sole remote access method, with at least 48,933 devices publicly exposed and unpatched as of December 2024. high llm
T1078
Valid Accounts
Defense Evasion Attackers leveraged compromised SSLVPN accounts on vulnerable SonicWall devices, including local accounts with no AD counterpart and accounts inheriting VPN access via misconfigured LDAP Default User Group assignments, to maintain access post-exploitation. high llm
T1486
Data Encrypted for Impact
Impact Akira and Fog ransomware groups used access gained through CVE-2024-40766 exploitation as an entry point to deploy ransomware against victim organizations, with compromised organizations appearing on Akira and Fog leak sites. high llm
T1098
Account Manipulation
Persistence Attackers created or manipulated local SSLVPN accounts on SonicWall devices, including accounts with non-printable or unusual characters in usernames that had no Active Directory counterpart, to maintain persistent access. medium llm
ESC