SonicWall
Access Control
Critical SonicWall CVE-2024-40766 flaw exploited in attacks. Apply patches now t...
A critical access control flaw, **CVE-2024-40766**, impacting SonicWall's firewall devices, is now **actively exploited** in the wild, according to an updated advisory from SonicWall. This vulnerability affects **Gen 5, Gen 6, and Gen 7** devices, with a severity score of **9.3 (CVSS v3)**. SonicWall is urging administrators to immediately apply patches to prevent unauthorized access and potential network disruption.
### Key Details of CVE-2024-40766
Initially disclosed on **August 22, 2024**, the flaw was thought to be limited to **SonicOS management access**. However, a recent update reveals that **SSLVPN** functionalities are also vulnerable. SonicWall warns that threat actors may exploit this flaw to gain unauthorized access to critical network resources and crash firewalls, disabling essential security protections.
Although SonicWall hasn't provided specifics about how the flaw is exploited, historical attacks on similar SonicWall vulnerabilities have shown that cybercriminals frequently target **SSLVPN endpoints** due to their exposure on the internet for remote VPN access.
### Compromised Products and Security Patch Releases
SonicWall has provided a detailed breakdown of affected devices and the corresponding patches:
| **SonicWall Generation** | **Affected Versions** | **Fixed Version** |
|--------------------------|----------------------------------------------------|-------------------------------------------------|
| **Gen 5** | SonicOS 5.9.2.14-12o and older | SonicOS 5.9.2.14-13o |
| **Gen 6** | SonicOS 6.5.4.14-109n and older | 6.5.2.8-2n (SM9800, NSsp 12400, NSsp 12800) <br> 6.5.4.15-116n (Other Gen 6 Firewalls) |
| **Gen 7** | SonicOS 7.0.1-5035 and older | Non-reproducible in 7.0.1-5035 and later builds |
### Mitigation and Recommendations
SonicWall has issued the following **mitigation strategies** to minimize the risk of exploitation while patches are being applied:
1. **Restrict Firewall Management Access**:
Limit management access to trusted internal sources and **disable WAN portal** access from the internet where possible.
2. **Restrict SSLVPN Access**:
Restrict **SSLVPN access** to trusted sources and **disable** SSLVPN entirely if not required.
3. **Update Local SSLVPN User Passwords**:
For **Gen 5 and Gen 6** devices, SSLVPN users with local accounts should update their passwords immediately. Admins should enable the **"User must change password"** feature for local accounts.
4. **Enable Multi-Factor Authentication (MFA)**:
Implement **MFA** for all SSLVPN users, using **Time-based One-Time Passwords (TOTP)** or email-based **OTPs**. Detailed configuration guidance for enabling MFA is available from SonicWall.
### Exploitation in the Wild
Although **SonicWall** has not disclosed specific details on how **CVE-2024-40766** is being actively exploited, historical evidence indicates that SonicWall's vulnerabilities are frequently targeted by threat actors. These actors take advantage of their internet exposure for **remote access**, as demonstrated by past incidents, such as the **March 2023** campaign where suspected **Chinese hackers (UNC4540)** targeted unpatched SonicWall devices to deploy custom malware, which persisted through firmware upgrades.
Similar exploitation patterns could emerge, as **SSLVPN vulnerabilities** have been historically attractive targets for attackers seeking to compromise corporate networks, bypass firewall protections, and establish persistent footholds in enterprise systems.
### Action Items for Administrators
**Immediate patching** is the most effective way to secure your network against this vulnerability. Admins are strongly encouraged to download the latest patch from **MySonicWall.com** and apply it to affected devices. Furthermore, admins should review SonicWall’s recommendations on reducing exposure, enhancing access controls, and enforcing multi-factor authentication for enhanced security.
For further details on patches, configurations, and advisories, visit SonicWall's **official advisory** page.
**CVE-2024-40766** poses a critical risk to organizations using **SonicWall firewall devices**. As attacks exploiting this vulnerability have already been observed, swift patching and the application of mitigations are essential to prevent unauthorized access, disruption of network defenses, and potential data breaches. Organizations must take immediate action by applying the latest patches, restricting SSLVPN access, and enabling MFA to safeguard against potential attacks.
#### Resources:
- [SonicWall Advisory Page](https://mysonicwall.com)
- [SSLVPN Configuration Guide](https://link_to_sslvpn_configuration)