Full Report
A vulnerability has been discovered in SonicWall SonicOS Management Access and SSLVPN, which could allow for unauthorized resource access and in specific conditions, causing the firewall to crash. SonicOS is SonicWall’s operating system designed for their firewalls and other security devices. Successful exploitation of the most severe of these vulnerabilities could allow for unauthorized access on the system. Depending on the privileges associated with the system, an attacker could then; view, change, or delete data.
Analysis Summary
# Vulnerability: SonicOS Management Access and SSLVPN Improper Access Control
## CVE Details
- CVE ID: CVE-2024-40766
- CVSS Score: Information not explicitly provided in the summary, but context implies High/Critical severity due to active exploitation and unauthorized access/crash potential. (The severity rating based on impact is HIGH for large/medium entities).
- CWE: Improper Access Control
## Affected Systems
- Products: SonicWall SonicOS (Firewalls and security devices using SonicOS)
- Versions:
- SOHO (Gen 5): 5.9.2.14-12o and older
- Gen6 Firewalls: 6.5.4.14-109n and older
- Gen7 Firewalls: SonicOS build version 7.0.1-5035 and older
- Configurations: Devices with Management Access and/or SSLVPN enabled. Recent threat activity specifically targeted Gen 7 firewalls with SSLVPN enabled that used migrated local accounts with unchanged passwords.
## Vulnerability Description
An improper access control vulnerability exists within the SonicWall SonicOS Management Access and SSLVPN components. Successful exploitation could lead to unauthorized resource access. Under specific conditions, exploitation could cause the firewall to crash (Denial of Service). If successfully exploited for unauthorized access, an attacker could potentially view, change, or delete data based on the system's associated privileges. This vulnerability falls under the MITRE Tactic **Initial Access** (TA0001) using the **Exploit Public-Facing Application** (T1190) technique.
## Exploitation
- Status: Actively exploited in the wild (Reported in 2025 threat activity, linked to Akira ransomware campaigns exploiting migrated local accounts). PoC status is not explicitly mentioned but exploitation is confirmed.
- Complexity: Not explicitly rated, but exploitation via public-facing SSLVPN suggests Low to Medium complexity, especially targeting default credentials.
- Attack Vector: Network (Via Management Access or SSLVPN)
## Impact
- Confidentiality: Data viewing possible depending on executed privileges.
- Integrity: Data alteration or deletion possible depending on executed privileges.
- Availability: Potential for firewall crash (Denial of Service) under specific conditions.
## Remediation
### Patches
- SonicWall has provided appropriate updates. Users must apply the latest stable releases provided by SonicWall immediately after testing. (Specific version numbers for fixed builds are not listed in this summary but must be retrieved from the vendor advisory).
### Workarounds
- The vendor advisory emphasizes credential hygiene in response to active exploitation: Ensure migrated local accounts have strong, non-default passwords. (While not a direct patch, this mitigation addresses the known exploitation vector involving old passwords).
## Detection
- Indicators of Compromise: Active threat activity involves targeted attacks against Gen 7 SonicWall firewalls utilizing SSLVPN and weak/migrated passwords, linked to Akira ransomware.
- Detection Methods and Tools: Implement robust vulnerability scanning (authenticated and unauthenticated) and monitor firewall logs for unusual access or crash events related to the management or SSLVPN interfaces. Regularly verify software versions against vendor advisories.
## References
- Vendor Advisory (SonicWall): hxxps://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015
- CVE Details: hxxps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40766
- MS-ISAC Advisory: MS-ISAC ADVISORY NUMBER: 2024-097