SonicWall Has ‘High Confidence’ Attacks Did Not Exploit Zero-Day Flaw

The security vendor said that exploits of a previously disclosed vulnerability are behind a ‘small’ number of cases of compromised Gen 7 firewalls.

SonicWall reported that exploitation of a previously disclosed vulnerability has been responsible for recent cyberattacks targeting Gen 7 firewalls with SSLVPN enabled, leading to a “small” number of cases of compromised devices.

Security researchers from two vendors, Arctic Wolf and Huntress, had earlier pointed to indicators that the attacks may have utilized a zero-day flaw, but an investigation does not support this conclusion, according to SonicWall.

[Related: 10 Major Cyberattacks And Data Breaches In 2025 (So Far)]

“We now have high confidence that the recent SSLVPN activity is not connected to a zero-day vulnerability,” SonicWall said in an update to its security advisory about the incidents.

Instead, the attacks are believed to be linked to a critical-severity vulnerability initially disclosed in August 2024, which is tracked as CVE-2024-40766, according to the company.

“There is a significant correlation with threat activity related to CVE-2024-40766,” SonicWall said.

In a statement provided to CRN Thursday, SonicWall said the conclusion that the issue is “not a new zero-day or unknown vulnerability” was reached after the vendor “thoroughly investigated” the incidents.

In addition, “the affected population is small, fewer than 40 confirmed cases, and appears to be linked to legacy credential use during migrations from Gen 6 to Gen 7 firewalls,” the vendor said in the statement. “We’ve issued updated guidance, including steps to change credentials and upgrade to SonicOS 7.3.0, which includes enhanced MFA protections.”

In a post update Wednesday at 6 p.m. EDT, Huntress researchers said the company “continues to see organizations impacted by threat actors targeting SonicWall seventh-generation firewall appliances.”

“As of August 6, we’ve seen eight additional incidents (at least 28 overall) that stem from this cluster of threat activity,” Huntress researchers said.

Huntress researchers had written in a post Monday that SonicWall devices were being “actively exploited to bypass MFA and deploy ransomware.”

A researcher from Arctic Wolf had disclosed Aug. 1 that an increase in ransomware attacks impacting SonicWall devices had been observed in recent weeks, with Akira ransomware identified as involved in the attacks.