SonicWall has revealed that a recently patched critical security flaw impacting SonicOS may have come under active exploitation, making it essential that users apply the patches as soon as possible.

The vulnerability, tracked as CVE-2024-40766, carries a CVSS score of 9.3 out of a maximum of 10.

"An improper access control vulnerability has been identified in the SonicWall SonicOS management access and SSLVPN, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash," SonicWall said in an updated advisory.

With the latest development, the company has revealed that CVE-2024-40766 also impacts the firewall's SSLVPN feature. The issue has been addressed in the below versions -

• SOHO (Gen 5 Firewalls) - 5.9.2.14-13o
• Gen 6 Firewalls - 6.5.2.8-2n (for SM9800, NSsp 12400, and NSsp 12800) and 6.5.4.15.116n (for other Gen 6 Firewall appliances)

The network security vendor has since updated the bulletin to reflect the possibility that it may have been actively exploited.

"This vulnerability is potentially being exploited in the wild," it added. "Please apply the patch as soon as possible for affected products."

As temporary workarounds, it's recommended to restrict firewall management to trusted sources or disable firewall WAN management from Internet access. For SSLVPN, it's advised to limit access to trusted sources, or disable internet access altogether.

Additional mitigations include enabling multi-factor authentication (MFA) for all SSLVPN users using one-time passwords (OTPs) and recommending customers using GEN5 and GEN6 firewalls with SSLVPN users who have locally managed accounts to immediately update their passwords for preventing unauthorized access.

There are currently no details about how the flaw may have been weaponized in the wild, but Chinese threat actors have, in the past, abused unpatched SonicWall Secure Mobile Access (SMA) 100 appliances to establish long-term persistence.

Update

Cybersecurity companies Arctic Wolf and Rapid7 have warned that the newly disclosed critical flaw impacting SonicWall devices is likely being actively exploited by ransomware groups, including Akira.

"Akira ransomware affiliates carried out ransomware attacks with an initial access vector involving the compromise of SSLVPN user accounts on SonicWall devices," Arctic Wolf said.

"In each instance, the compromised accounts were local to the devices themselves rather than being integrated with a centralized authentication solution such as Microsoft Active Directory. Additionally, MFA was disabled for all compromised accounts, and the SonicOS firmware on the affected devices were within the versions known to be vulnerable to CVE-2024-40766."

Rapid7, for its part, noted that "evidence linking CVE-2024-40766 to these incidents is still circumstantial" despite detecting ransomware groups targeting SonicWall SSLVPN accounts in recent incidents.

The vulnerability has since been added to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) list of known exploited vulnerabilities, requiring federal agencies to apply the fixes by September 30, 2024.