Alert: Active Exploit of Critical SonicWall CVE via SSLVPN for Initial Access

The APG and the Blackpoint Active SOC just triangulated published news of active exploitation of a SonicWall CVE exploited by threat actors to gain initial access via SSLVPN.

The Blackpoint Active SOC recently combatted threat actors actively exploiting SSLVPN for initial access attempts within Blackpoint-managed environments — expect a full analysis of that incident forthcoming next Tuesday, September 10.

Therefore, we consider the following alert on the SonicWall CVE-2024-40766 critically important!

What We Know About SonicWall CVE-2024-40766

Per SonicWall’s security bulletin (1), the following vulnerability impacts SonicWall Gen 5 & 6 devices, as well as Gen. 7 devices running SonicOS ver. 7.0.1-5035 and older.

  • CVE-2024-40766 (CVSS Score 9.3)
    • What it is: Improper Access Control (IAC) vulnerability
    • How it’s exploited: Threat actors can exploit this vulnerability to gain initial access via SSLVPN, thereby accessing sensitive environments and deploying malicious payloads.
    • Additional information for MSPs: The APG assesses there is an even chance that threat actors could also abuse this access to conduct supply-chain attacks against downstream customers.

Potential Risk for Your Organization from SonicWall CVE-2024-40766 Exploitation

The APG and Blackpoint SOC alike both believe that there is
a high chance of attempted exploitation within environments running impacted versions of SonicOS and vulnerable devices.

According to SonicWall’s own advisory (1, threat actors have already attempted to exploit CVE-2024-40766 for initial access in the wild.

The Blackpoint Active SOC team also responds to incidents involving threat actor abuse of SSLVPN for initial access, including a recent incident on September 01, 2024, involving an Institutions & Organizations partner.

The public analysis of that incident that will be available next week on Tuesday, September 10.

How to Mitigate Exploitation Risk of SonicWall CVE-2024-40766

Per SonicWall’s advisory (1), organizations can:

  • Apply the patch as soon as possible for any affected products, with the latest patch builds currently available for download (2);
  • Enforce multi-factor authentication (MFA) on all VPN accounts;
  • Consider re-generating the SSL certificate for the VPN;
  • Restrict firewall management to trusted sources; and / or
  • PLEASE disable firewall WAN management from Internet access to minimize potential impact, wherever possible!!

For Gen 5 and Gen 6 devices:

  • SSLVPN users with local accounts should update their passwords immediately.
  • Administrators should enable the “User must change password” option for local users.

Current SOC Status for SonicWall CVE-2024-40766 Exploitation

While the Blackpoint Active SOC team has recently combatted SSLVPN initial access compromise within our managed environments, we have NOT confirmed explicit indicators of compromise (IoCs) in our partners’ environments showing threat actor exploitation of SonicWall CVE-2024-40766, including for your organization.

The Active SOC team will continue to actively monitor for any IoCs associated with this incident. The APG team will update this notice as a courtesy to you, should we detect otherwise.

Resources and References

  1. SonicWall’s Advisories: “SonicOS Improper Access Control Vulnerability 9.3” by SonicWall on 2024-09-06
  2. SonicWall’s MySonicWall: “MySonicWall Login” by SonicWall on N/A
DATE PUBLISHEDSeptember 6, 2024
AUTHORBlackpoint Cyber

Subscribe to the Blackpoint Blog

Don’t let a lack of awareness leave the organizations you protect vulnerable to sophisticated and elusive attacks. Subscribe now for a weekly roundup of Blackpoint’s empowering articles.

Subscribe now!