SonicWall has been investigating reports about a zero-day potentially being exploited in ransomware attacks, but found no evidence of a new vulnerability in its products.
Cybersecurity companies Huntress, Arctic Wolf and Field Effect warned recently that they have been seeing Akira ransomware attacks targeting SonicWall firewalls with SSL VPN enabled through what may be a zero-day vulnerability.
SonicWall soon announced an investigation and on Wednesday revealed that the attacks do not appear to involve exploitation of a zero-day vulnerability affecting Gen 7 or newer firewalls.
The company determined with high confidence that there is no zero-day and instead the attacks appear to be related to the exploitation of CVE-2024-40766, a vulnerability that came to light in September 2024, when the vendor warned that it may have been exploited in the wild.
Reports emerged soon after disclosure that the vulnerability was apparently exploited in ransomware attacks, specifically Akira attacks.
The problem, as SonicWall suggests now, is that threat actors exploited the vulnerability to obtain device credentials. The devices have since been updated and may be fully patched, but if their administrators did not change the compromised credentials attackers can still use them to gain access.
“We are currently investigating less than 40 incidents related to this cyber activity,” SonicWall said. “Many of the incidents relate to migrations from Gen 6 to Gen 7 firewalls, where local user passwords were carried over during the migration and not reset.”
The company also pointed out that “resetting passwords was a critical step outlined in the original advisory”.
However — based on archived versions of SonicWall’s advisory — the password update advice was only added at some point in January 2025. A snapshot from December 2024 shows that the password recommendation was not there.
Field Effect pointed out in its recent blog post that it has seen a Gen 8 SonicWall firewall being compromised in the attacks. The company is still analyzing the incident, but it seems the customer in question migrated from Gen 7 to Gen 8. SonicWall’s alert focuses on advice for customers who imported configurations from Gen 6 to Gen 7 and newer.
Google warned in mid-July that a financially motivated threat actor tracked as UNC6148 had been observed targeting SonicWall SMA appliances in what is likely a different campaign.
However, Google said at the time the attackers were likely leveraging credentials obtained previously through the exploitation of known vulnerabilities to access devices that had since been patched but whose admins had not changed the compromised passwords.
UNC6148 had deployed a new piece of malware named Overstep, which has been described as a persistent backdoor and user-mode rootkit that enables the theft of credentials, session tokens and one-time password seeds.
Related: SonicWall Patches Critical SMA 100 Vulnerability, Warns of Recent Malware Attack
Related: SonicWall Firewall Vulnerability Exploited After PoC Publication
Related: CISA Warns of Zyxel Firewall Vulnerability Exploited in Attacks
