If you would like to receive alerts and information on the latest vulnerabilities and threat actors via email each month, click below to subscribe to the MOXFIVE mailing list.
Recent Akira ransomware intrusions have been linked to CVE-2024-40766, a previously disclosed vulnerability affecting SonicWall firewall appliances. Initial reporting suggested the possibility of a zero-day vulnerability in the SSL VPN service that may allow unauthorized access without valid credentials. SonicWall has since confirmed as of August 7th, 2025, that the activity aligns with exploitation of this known issue.
CVE-2024-40766, disclosed in August 2024, is an improper access control vulnerability in the SonicOS management interface. Under certain conditions, it can allow unauthorized access and may result in device crashes.
SonicWall reported that the recent activity primarily affected organizations that migrated from Gen 6 to Gen 7 firewalls without resetting local user account passwords. Password reset was a key step outlined in the original remediation guidance for this vulnerability.
MOXFIVE has responded to incidents involving Akira ransomware since the group’s emergence in 2023. In our October 2024 Threat Actor Spotlight, we documented Akira’s use of CVE-2024-40766 as part of the group’s broader pattern of exploiting newly disclosed vulnerabilities, particularly those affecting VPN and remote access technologies. This recent activity is consistent with Akira’s history of operationalizing vulnerabilities in edge infrastructure to facilitate initial access.
Mitigation Recommendations
Organizations using SonicWall firewalls should take immediate steps to confirm whether vendor guidance has been fully implemented:
MOXFIVE continues to support organizations responding to ransomware incidents and vulnerability exploitation, including recent activity linked to Akira.
Need Assistance?
If you need assistance with patching, monitoring or a current incident, please contact us at 833-568-6695 or email our team at incident@moxfive.com.