Tuesday, April 22, 2025
HomeCVE/vulnerability1000's Of SonicWall Devices Remain Vulnerable To CVE-2024-40766

1000’s Of SonicWall Devices Remain Vulnerable To CVE-2024-40766

Published on

SIEM as a Service

Follow Us on Google News

A recent investigation revealed that the Akira and Fog ransomware groups are actively exploiting the SonicWall NSA vulnerability (CVE-2024-40766) to compromise organizations. 

As of December 23, 2024, over 100 companies are suspected to have been victimized by these groups through this vulnerability.

Despite the disclosure in September 2024, a significant number of devices, exceeding 48,933, remain vulnerable to exploitation. 

- Advertisement - Google News

Analysis of organizations victimized by the Akira and Fog ransomware groups revealed a significantly higher prevalence of SonicWall NSA devices compared to victims of other ransomware groups. 

Out of 218 organizations compromised by Akira and Fog, over 100 (approximately 46%) were found to be utilizing SonicWall network security appliances, which contrasts sharply with the typical observation of around 5% or less SonicWall NSA ownership among victims of other ransomware groups. 

SNMP data from around 5,000 devices

The existence of this discrepancy raises the possibility of a connection between the successful deployment of Akira and Fog ransomware and the exploitation of vulnerabilities within SonicWall NSA devices.

A significant number of organizations were likely compromised through the SonicWall NSA vulnerability between September and December, potentially exceeding 50%. 

Factors contributing to the consistent 50% detection rate include challenges in linking companies to their SonicWall devices, attackers diversifying intrusion vectors, and variations in tactics among threat actors. 

While SonicWall has not released a PoC or detailed impact assessments for the vulnerabilities, their recommendation to reset credentials and implement MFA strongly suggests a potential for credential theft. 

The lack of clear attribution in credential theft cases hinders definitive proof, while the high concentration of SonicWall devices within organizations targeted by these groups provides circumstantial evidence supporting their exploitation of SonicWall vulnerabilities. 

According to the Macnica, there was also activity on BlackBasta’s end that targeted SonicWall devices, although this activity has been decreasing as of late.

A novel method for assessing SonicWall NSA device patch status against CVE-2024-40766 was developed, which analyzes the HTML structure of devices and was validated against SNMP data from approximately 5,000 devices. 

As of December 24, 2024, 48,933 publicly exposed SonicWall NSA devices remain vulnerable, while analysis of vulnerable servers by country reveals poor remediation in several Asian nations. 

While patch adoption has significantly slowed down approximately one month after the patch release, mirroring a common trend observed with most vulnerabilities.

Despite lacking definitive proof, strong evidence indicates that the critical SonicWall vulnerability (CVE-2024-40766) is actively exploited by the Akira and Fog threat actors. 

Three months after its discovery, SonicWall devices remain vulnerable on a global scale, with 13% of public servers unpatched, which allows attackers like Akira and Fog to compromise numerous devices, likely contributing to their increased success. 

As the number of victims grows, the threat landscape for organizations utilizing SonicWall products continues to worsen, emphasizing the urgent need for immediate patching and enhanced security measures.

ANY.RUN Threat Intelligence Lookup - Extract Millions of IOC's for Interactive Malware Analysis: Try for Free

Varshini
Varshini
Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Latest articles

Hackers Exploit Cloudflare Tunnel Infrastructure to Deploy Multiple Remote Access Trojans

The Sekoia TDR (Threat Detection & Research) team has reported on a sophisticated network...

Threat Actors Leverage npm and PyPI with Impersonated Dev Tools for Credential Theft

The Socket Threat Research Team has unearthed a trio of malicious packages, two hosted...

Hackers Exploit Legitimate Microsoft Utility to Deliver Malicious DLL Payload

Hackers are now exploiting a legitimate Microsoft utility, mavinject.exe, to inject malicious DLLs into...

Cybercriminals Exploit Network Edge Devices to Infiltrate SMBs

Small and midsized businesses (SMBs) continue to be prime targets for cybercriminals, with network...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

TP-Link Router Vulnerabilities Allow Attackers to Execute Malicious SQL Commands

Cybersecurity researchers have uncovered critical SQL injection vulnerabilities in four TP-Link router models, enabling...

PoC Released for Critical Unauthenticated Erlang/OTP RCE Vulnerability

A critical remote code execution (RCE) vulnerability in Erlang/OTP’s SSH implementation (CVE-2025-32433) has now...

Critical Flaw in Windows Update Stack Enables Code Execution and Privilege Escalation

A newly discovered vulnerability in the Windows Update Stack, tracked as CVE-2025-21204, has sent...