SonicWall Denies 0-Day Exploit, Links Recent Attacks to 2024 Vulnerability

Red Dog Security

08 Aug 2025 — 1 min read

SonicWall has confirmed that recent attacks targeting its 7th-generation firewalls with SSL VPN enabled were the work of the Akira ransomware group exploiting an old vulnerability—CVE-2024-40766—rather than a suspected zero-day.

Key Findings

Following an investigation into 40 incidents, SonicWall determined that attackers leveraged CVE-2024-40766, a critical SSL VPN access control flaw patched in August 2024.

The vulnerability allows unauthorized access to VPN endpoints, enabling session hijacking or network infiltration.
Earlier this month, Arctic Wolf and Huntress warned of Akira ransomware activity—observed since July 15, 2025—and initially suspected a zero-day exploit. SonicWall now disputes that assessment.

Why Were Systems Still Vulnerable?

SonicWall says many affected organizations had migrated from Gen 6 to Gen 7 firewalls but failed to reset local user passwords, a key step outlined in the original security bulletin.

Default or reused credentials left systems exposed even after applying the firmware patch.

SonicWall’s Recommendations

Update firmware to version 7.3.0+, which includes enhanced MFA and brute-force protection.
Reset all local user passwords, especially those used for SSL VPN access.
Audit migration logs to ensure no legacy credentials remain active.

Community Backlash

On Reddit, some users have reported inconsistencies with SonicWall’s explanation:

Claims that non-existent accounts were compromised post-migration.
Allegations that SonicWall declined to review submitted firewall logs.

Critics argue the official findings don’t fully align with observed attack patterns in the field.

Broader Context

CVE-2024-40766 was previously exploited by Akira and Fog ransomware in 2024.

This incident underscores the risks posed by incomplete patch adoption and poor credential hygiene during infrastructure upgrades.

Key Takeaway:
While no zero-day was involved, the combination of unpatched systems and weak post-migration practices gave attackers an opening. Organizations must enforce password resets and security audits after firewall upgrades to prevent credential-based compromise.

Jon von Tetzchner Speaks Out Against AI in Browsers

Jon von Tetzchner, head of the Norwegian company Vivaldi Technologies, developer of the Vivaldi browser, has voiced strong criticism of efforts to integrate AI models directly into web browsers. In his view, the industry’s push to merge AI with everyday browsing has already gone too far. AI in Browsers:

Endless Nonsense. An Editor's Column

They say evolution “invented” the crab at least five times—meaning five different species independently evolved into something crab-like. Scientists call this carcinization. The same process seems to be happening with social networks. Only instead of turning into crabs, they all turn into TikTok. Open any platform—YouTube, X, even

Law Enforcement Shuts Down Fake Identity Creation Service VerifTools

The FBI and Dutch police have announced the takedown of VerifTools, an underground marketplace that specialized in producing fake identity documents. During the operation, authorities seized both physical and virtual servers located in Amsterdam. A Marketplace for Fake IDs VerifTools operated as a large-scale platform for creating and selling fraudulent

NX Falls Victim to Supply Chain Attack: Hackers Steal Thousands of Secrets

The maintainers of NX have disclosed a major supply chain attack, dubbed s1ngularity, which occurred on August 26, 2025. The compromise of a developer’s token allowed attackers to publish malicious versions of the popular npm package and related tools, enabling them to steal user data on a large scale.