CVE-2024-40766: The Patch Fixed the Bug. Nobody Fixed the Configuration.
SonicWall addressed the improper access control flaw CVE-2024-40766 in SonicOS, impacting the management interface and SSLVPN service on Gen 5, Gen 6 and Gen 7 firewalls; however, threat actors (including Akira and Fog) have continued exploiting patched devices by abusing leftover configuration and credential issues rather than “new” bypasses. Active intrusions have also highlighted additional risk on Gen 6 related to CVE-2024-12802, where firmware-only patching may not remove the MFA bypass condition. The takeaway: organizations must not only apply SonicOS updates, but also complete post-patch cleanup (rotate passwords, remove stale/orphaned users, correct LDAP group settings, and restrict the Virtual Office Portal) to close the exploitable gaps.
The vulnerability
In August 2024 SonicWall published advisory SNWLID-2024-0015 for CVE-2024-40766. It is an improper access control vulnerability in SonicOS. CVSS 9.3. It affects the management interface and the SSLVPN service on Gen 5, Gen 6 and Gen 7 firewalls. Each generation has its own affected firmware range: Gen 5 running SonicOS 5.9.2.14-12o and older, Gen 6 running 6.5.4.14-109n and older, and Gen 7 running SonicOS 7.0.1-5035 and older. Successful exploitation lets an attacker gain unauthorized access to the firewall. Under certain conditions it crashes the device entirely.…