Two Years After Patch, CVE-2024-40766 Still Haunts SonicWall Firewalls: Stale Accounts and Unrotated Passwords Leave 48,000+ Devices Exposed
A SANS ISC audit of 14 patched SonicWall firewalls reveals that 12 still harbor stale local accounts and 11 never rotated passwords after firmware upgrades, explaining why Akira and Fog ransomware groups continue exploiting CVE-2024-40766 two years after the patch.
In August 2024, SonicWall published advisory SNWLID-2024-0015 for CVE-2024-40766, an improper access control vulnerability in SonicOS with a CVSS score of 9.3. The flaw affects the management interface and SSLVPN service on Gen 5, Gen 6, and Gen 7 firewalls. Successful exploitation allows an attacker to gain unauthorized access to the firewall or, under certain conditions, crash the device entirely. SonicWall reports serving approximately 500,000 businesses across 215 countries and territories, many of which rely on SSLVPN as their sole remote access method and lack dedicated security teams—a combination that ransomware operators have aggressively targeted.
Akira and Fog ransomware groups have been exploiting CVE-2024-40766 since at least September 2024, when Arctic Wolf first reported Akira affiliates compromising SSLVPN accounts on vulnerable devices. By December 2024, Macnica research confirmed that roughly half of organizations listed on Akira and Fog leak sites were running SonicWall, and at least 48,933 devices remained publicly exposed and unpatched. The exploitation has escalated in waves, with Arctic Wolf, Huntress, and Bitdefender reporting a surge of Akira intrusions targeting Gen 7 firewalls in July–August 2025. Fog ransomware operators accounted for roughly 25 percent of intrusions during this period, while Akira accounted for 75 percent. Researchers initially suspected a zero-day, but SonicWall confirmed with high confidence that the activity still correlated with CVE-2024-40766. Many compromised organizations had migrated from Gen 6 to Gen 7 without resetting local user passwords. Dwell times were alarmingly short: Arctic Wolf documented encryption occurring in under four hours from initial access, with some cases as fast as 55 minutes.
The problem deepened in September 2025 when SonicWall confirmed a separate breach of its MySonicWall cloud platform, where attackers accessed firewall configuration backup files containing encrypted credentials. SonicWall initially stated that fewer than 5 percent of its customer base was affected, but later concluded that all backup files had been compromised. Any organization with a MySonicWall account should assume its configuration backup was accessed and its encrypted credentials exposed. In October 2025, Huntress reported over 100 SSLVPN accounts compromised across 16 customer environments in a single wave—attackers authenticated rapidly using valid credentials obtained from another source, not brute-forcing.
In February and March 2026, ReliaQuest documented what they assessed as the first in-the-wild exploitation of CVE-2024-12802, a separate authentication bypass vulnerability that allows attackers to bypass MFA on SonicWall SSLVPN appliances. On Gen 6 devices, the firmware patch alone does not remediate the flaw; six additional manual LDAP reconfiguration steps are required. In the environments ReliaQuest investigated, the devices appeared patched based on firmware version but were still fully exploitable. Attackers brute-forced credentials with automated tooling, bypassed MFA without triggering any failed-login alerts, and in one case reached a file server and deployed pre-ransomware staging tools within 30 minutes of VPN access. On April 16, 2026, SonicWall Gen 6 devices reached end-of-life; no further firmware updates or security patches will be issued for that hardware generation. Gen 6 devices remain common in production environments, especially at small businesses and in networks assembled through mergers and acquisitions. Any Gen 6 device still running SSLVPN is now operating without vendor support on a platform with two actively exploited vulnerabilities and no future remediation path.
A SANS ISC audit of 14 patched SonicWall firewalls, detailed in a diary post, found that the common thread across two years of exploitation is not novel exploits but valid credentials to accounts that should not exist on devices that were patched but never cleaned up. The most common finding was stale local accounts: 12 of 14 firewalls had SSLVPN accounts that did not exist in Active Directory. Some were legacy service accounts from the Gen 6 era; some were accounts created during onboarding for employees who had left years ago; a few had usernames containing non-printable characters—a strong indicator of automated account creation by exploitation tooling. The second finding was the most dangerous: 11 of 14 firewalls had not rotated local account passwords after the firmware upgrade. The same credentials that may have been exposed through the vulnerability or through the MySonicWall backup incident remain valid. An attacker who collected them six months ago can use them today. The third finding was the lack of any source-IP restriction on SSLVPN authentication: 10 of 14 firewalls accepted VPN connections from any IP on the planet, with no geo-IP filtering or ASN blocking.
The SANS audit underscores a critical lesson: patching firmware is not enough. Organizations must also audit and clean up local accounts, rotate passwords after upgrades, and implement source-IP restrictions on SSLVPN authentication. Without these steps, even fully patched SonicWall firewalls remain vulnerable to the same attacks that have been ongoing since September 2024. As Gen 6 devices reach end-of-life and the MySonicWall breach exposes credentials, the window for remediation is closing fast.