CYPFER Investigates Active Use of CVE-2024-40766 by Ransomware Affiliates Targeting Misconfigured SSL VPNs
CYPFER ThreatFlash: Critical Threat Intelligence – Delivered with Cyber Certainty™
In early August, CYPFER’s global incident response teams identified a sharp uptick in ransomware attacks linked to Akira affiliates targeting SonicWall SSL VPNs. Initial reports raised alarm over a potential zero-day, but investigation confirms otherwise: attackers are exploiting CVE-2024-40766, a known and previously patched vulnerability. These incidents underscore a critical truth: threat actors don’t always need new exploits; they rely on old weaknesses and misconfigurations. This ThreatFlash provides verified insights from the front lines, so your organization can take decisive action and maintain Cyber Certainty™.
In the first few days of August, security researchers reported that fully patched SonicWall systems with enforced MFA were compromised via SSL VPN leading to a blitz of Akira ransomware deployments and a fear that Akira affiliates were exploiting a new zero-day. However, these fears proved unfounded and instead fell to attacker ingenuity and configuration missteps. SonicWall has since stated with “high confidence” that no zero-day was involved. Rather, attackers accessing through user accounts improperly carried over from Gen 6 appliances without a password reset–a misconfiguration SonicWall previously warned about. In a released bulletin, SonicWall stated that the attackers are targeting CVE-2024-40766, an unauthorized access flaw fixed in August 2024:
“We now have high confidence that the recent SSLVPN activity is not connected to a zero-day vulnerability. Instead, there is a significant correlation with threat activity related to CVE-2024-40766, which was previously disclosed and documented in our public advisory SNWLID-2024-0015.”
CVE202440766 is a critical SSLVPN access control flaw in SonicOS, allowing unauthorized access to vulnerable endpoints, enabling attackers to hijack sessions or gain VPN access in protected environments.
CYPFER researchers first witnessed an Akira campaign exploiting CVE-2024-40766 starting in August 2024 and lasting until October 2024. However, CYPFER has also observed a Qilin campaign abusing multiple SSL VPN CVEs and Sonic SMA VPN CVEs throughout 2025, demonstrating that more than one threat actor is crafty enough to use this style of attack to compromise victims and persist cybercrime.
If you have concerns you might be a victim of Akira, Qilin, or any other threat actor group, CYPFER is here to help. CYPFER’s incident response and forensics teams are currently supporting organizations targeted in these campaigns. We offer rapid incident response services, compromise assessments, threat hunting, and full-scale recovery support.
Do not wait for confirmation of compromise. Get certainty. Contactar a CYPFER to validate exposure, mitigate risk, and restore confidence.
Your Complete Cyber Security Partner:
Vamos juntos a cada paso, por cada amenaza
At CYPFER, we don’t just protect your business—we become part of it.
Como una extensión de su equipo, nuestro único objetivo es la ciberseguridad, lo que garantiza su tranquilidad. Desde la respuesta a incidentes y la recuperación de ransomware hasta el análisis forense digital y el riesgo cibernético, nos integramos a la perfección con sus operaciones. Estamos con usted 24/7, listos para enfrentar las amenazas de frente y prevenir las futuras.
Elija a CYPFER y experimente una dedicación y experiencia inigualables. Confíe en nosotros para mantener su negocio seguro y resistente a cualquier ataque en todo momento.
Obtenga certeza™ cibernética hoy
Estamos aquí para mantener el latido de su negocio en funcionamiento, a salvo de la amenaza de los ataques cibernéticos. Donde sea y cuales sean sus circunstancias.
Contactar a CYPFER
