Threat actors, including affiliates of the Akira ransomware group, are taking advantage of a critical remote code execution (RCE) vulnerability that SonicWall recently disclosed and patched in its firewall products. The vulnerability, identified as CVE-2024-40766, allows attackers to gain complete control of affected devices and potentially crash the firewall.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-40766 to its Known Exploited Vulnerabilities (KEV) database and is urging federal civilian executive branch (FCEB) agencies to address this vulnerability by September 30. This comes after reports of attack activity exploiting the vulnerability, prompting concerns about the security of SonicWall devices.
SonicWall first revealed the vulnerability on August 22, giving it a severity rating of 9.3 out of 10 on the CVSS scale. The company later updated the advisory to include local SSLVPN accounts as being vulnerable to CVE-2024-40766. Security firm Artic Wolf observed Akira ransomware affiliates targeting SonicWall SSLVPN accounts through this vulnerability, highlighting the real-world impact of the exploit.
In response, SonicWall is advising customers to update to fixed versions of the affected technology as soon as possible. The company also recommends limiting firewall management functions to trusted sources, disabling WAN management via the internet, and ensuring that SSLVPN access is restricted to trusted sources or disabled from the internet. Additionally, SonicWall is urging administrators to have SSLVPN users with locally managed accounts change their passwords immediately and enable multifactor authentication (MFA) for all SSLVPN users.
SonicWall products have become a popular target for threat actors due to the privileged access they provide to target networks. These products, including routers, VPNs, and other network security technologies, offer attackers the opportunity to intercept all network traffic and access valuable data. Security vendors and government agencies have repeatedly warned about the risks associated with vulnerabilities in network devices, emphasizing the importance of securing these critical components.
CISA has previously identified threats targeting networking appliances from various vendors, highlighting the ongoing risk posed by malicious actors seeking to exploit vulnerabilities in these devices. The agency issued a binding operational directive in June requiring FCEB agencies to implement strong measures to protect network devices such as firewalls, routers, switches, and VPN concentrators from cyber threats.
As the cybersecurity landscape continues to evolve, organizations must remain vigilant in addressing vulnerabilities in network devices and implementing robust security measures to protect against potential cyber attacks. The recent exploitation of the CVE-2024-40766 vulnerability in SonicWall devices serves as a reminder of the importance of proactive security practices in safeguarding critical infrastructure.