Ransomware Attacks Target SonicWall Firewall Vulnerability

Over the past week, a large number of attacks by the ransomware group Akira have been reported, where the initial attack vector seems to be SonicWall firewalls (Gen 7 and newer) with SSLVPN enabled. Yesterday, SonicWall issued updated guidance on the activity. The guidance states that SonicWall believes this activity is not connected to a zero-day vulnerability, but is rather associated with a previously reported vulnerability, CVE-2024-40766, addressed in SonicWall’s public advisory SNWLID-2024-0015.

The guidance goes on to “strongly urge” SonicWall customers to employ the following measures:

  • Update firmware to version 7.3.0, which includes enhanced protections against brute force attacks and additional multi-factor authentication (MFA) controls. SonicWall has provided a firmware update guide
  • Reset all local user account passwords for any accounts with SSLVPN access, especially if they were carried over during migration from Gen 6 to Gen 7.
  • Continue applying the previously recommended best practices: 

Previously, on August 4, SonicWall had recommended the following:

  • Disable SSLVPN services where practical.
  • Limit SSLVPN connectivity to trusted source IPs.
  • Enable security services. 
    • Activate services such as Botnet Protection and Geo-IP Filtering.
    • These help detect and block known threat actors targeting SSLVPN endpoints.
  • Enforce MFA.
    • Enable MFA for all remote access to reduce the risk of credential abuse.
  • Remove unused accounts.
    • Delete any inactive or unused local user accounts on the firewall
    • Pay special attention to those with SSLVPN access.
  • Practice good password hygiene.
    • Encourage regular password updates across all user accounts.

Contact Shook’s Cybersecurity and Incident Response team at with any questions.