CYPFER Investigates Active Use of CVE-2024-40766 by Ransomware Affiliates Targeting Misconfigured SSL VPNs
CYPFER ThreatFlash: Critical Threat Intelligence – Delivered with Cyber Certainty™
In early August, CYPFER’s global incident response teams identified a sharp uptick in ransomware attacks linked to Akira affiliates targeting SonicWall SSL VPNs. Initial reports raised alarm over a potential zero-day, but investigation confirms otherwise: attackers are exploiting CVE-2024-40766, a known and previously patched vulnerability. These incidents underscore a critical truth: threat actors don’t always need new exploits; they rely on old weaknesses and misconfigurations. This ThreatFlash provides verified insights from the front lines, so your organization can take decisive action and maintain Cyber Certainty™.
In the first few days of August, security researchers reported that fully patched SonicWall systems with enforced MFA were compromised via SSL VPN leading to a blitz of Akira ransomware deployments and a fear that Akira affiliates were exploiting a new zero-day. However, these fears proved unfounded and instead fell to attacker ingenuity and configuration missteps. SonicWall has since stated with “high confidence” that no zero-day was involved. Rather, attackers accessing through user accounts improperly carried over from Gen 6 appliances without a password reset–a misconfiguration SonicWall previously warned about. In a released bulletin, SonicWall stated that the attackers are targeting CVE-2024-40766, an unauthorized access flaw fixed in August 2024:
“We now have high confidence that the recent SSLVPN activity is not connected to a zero-day vulnerability. Instead, there is a significant correlation with threat activity related to CVE-2024-40766, which was previously disclosed and documented in our public advisory SNWLID-2024-0015.”
CVE202440766 is a critical SSLVPN access control flaw in SonicOS, allowing unauthorized access to vulnerable endpoints, enabling attackers to hijack sessions or gain VPN access in protected environments.
CYPFER researchers first witnessed an Akira campaign exploiting CVE-2024-40766 starting in August 2024 and lasting until October 2024. However, CYPFER has also observed a Qilin campaign abusing multiple SSL VPN CVEs and Sonic SMA VPN CVEs throughout 2025, demonstrating that more than one threat actor is crafty enough to use this style of attack to compromise victims and persist cybercrime.
If you have concerns you might be a victim of Akira, Qilin, or any other threat actor group, CYPFER is here to help. CYPFER’s incident response and forensics teams are currently supporting organizations targeted in these campaigns. We offer rapid incident response services, compromise assessments, threat hunting, and full-scale recovery support.
Do not wait for confirmation of compromise. Get certainty. CYPFER kontaktieren to validate exposure, mitigate risk, and restore confidence.
Your Complete Cyber Security Partner:
Cyber-Bedrohungen aller Art
At CYPFER, we don’t just protect your business—we become part of it.
Als Erweiterung Ihres Teams konzentrieren wir uns ausschließlich auf die Cybersecurity, damit Sie sich um Ihr Kerngeschäft kümmern können. Von Incident Response und Ransomware Recovery bis zu digitaler Forensik und Cyber-Risikobewertung – wir integrieren unsere Arbeit nahtlos in Ihre Abläufe. Wir sind rund um die Uhr für Sie da, um Bedrohungen direkt zu bekämpfen und zukünftige Gefahren zu verhindern.
Wenn Sie sich für CYPFER entscheiden, entscheiden Sie sich für beispiellose Expertise und einzigartiges Engagement. Gemeinsam können wir die Cyber-Resilienz in Ihrem Unternehmen verbessern und es so schützen.
Holen Sie sich jetzt Cyber Certainty™
Was auch immer Ihre Umstände sind: Wir möchten Ihrem Unternehmen dabei helfen, erfolgreich zu sein und zu bleiben – ganz ohne Sorgen um Cyberattacken.
CYPFER kontaktieren
