The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) has issued an urgent warning following the active exploitation of a critical vulnerability affecting SonicWall SSL VPN appliances across Australia. The flaw, CVE-2024-40766, is being leveraged by threat actors, including those deploying Akira ransomware, to gain unauthorized access to networks and, in some instances, cause firewall crashes. 

This vulnerability, first disclosed in August 2024 under advisory ID SNWLID-2024-0015, affects multiple generations of SonicWall devices, including Gen 5, Gen 6, and Gen 7 firewalls running SonicOS 7.0.1-5035 and earlier. The flaw is classified as CWE-284: Improper Access Control, with a CVSS v3 score of 9.3, indicating a high-severity threat. 

“This vulnerability is potentially being exploited in the wild,” the official SonicWall advisory warns. “Please apply the patch as soon as possible for affected products.” 

Scope of Impact and Technical Risk

The CVE-2024-40766 vulnerability allows attackers to bypass access controls, enabling unauthorized resource access. Under certain conditions, exploitation may result in a firewall crash. While the issue primarily affects legacy firmware, recent incidents suggest that even Gen 7 appliances may be exposed, especially when configurations from older devices were migrated without appropriate credential resets. 

According to SonicWall’s own assessment, “less than 40 incidents” have been linked to this activity, many of which involved organizations migrating from Gen 6 to Gen 7 devices without updating local user passwords. 

In response, SonicWall has released updated firmware versions and continues to advise users to immediately reset all local SSLVPN account passwords, particularly for accounts carried over during firewall migrations. 

Official Mitigation Guidance 

The ACSC and SonicWall have outlined several key mitigation strategies: 

1. Firmware Updates 
   All affected devices must be updated to the latest available firmware: 

1. Gen 5: Version 5.9.2.14-13o and higher 

2. Gen 6: Version 6.5.4.15.116n and higher 

3. Gen 7: Version 7.3.0 and higher 

2. Credential Hygiene: Organizations must reset all local user passwords on devices where user configurations were imported. SonicWall has also released a bulk password change automation script for administrators. 

3. Multi-Factor Authentication (MFA): To reduce the risk of credential-based attacks, it is strongly recommended that all SonicWall SSL VPN accounts enable MFA (e.g., TOTP or email-based OTP). 

4. Access Control Hardening: Administrators are urged to restrict SSLVPN and firewall WAN management access to trusted sources or disable internet-facing access altogether. 

5. Monitoring and Logging: Event logging for all SSLVPN login attempts should be enabled to detect unauthorized access in real-time. Additionally, account lockout mechanisms should be configured to mitigate brute-force attempts. 

Indicators of Compromise (IoCs) 

The following IP addresses have been identified in connection with ongoing exploitation: 

• 88[.]119[.]175[.]104 

• 45[.]149[.]172[.]51 

• 172[.]86[.]116[.]8 

• 216[.]146[.]25[.]208 

• 194[.]48[.]154[.]67 

• 162[.]120[.]71[.]224 

• 45[.]61[.]157[.]15 

The ACSC has advised enabling Botnet Filtering where possible, as these IPs are automatically flagged. If filtering is unavailable, manual blocking through firewall access rules is advised. 

Outdated Devices Pose Ongoing Risk 

SonicWall has clarified that Gen 5 (excluding SOHO) and NSA 2600 models, classified as End-of-Life (EoL), will not receive security patches. These systems remain highly vulnerable and should be decommissioned or segmented from critical infrastructure. 

“NSA 2600, Gen 5, and older units are susceptible to this exploit and will not be patched,” the advisory noted. 

The Australian Signals Directorate (ASD) and the ACSC continue to monitor the situation closely. Their joint advisory recommends immediate compliance with the mitigation steps, particularly for Australian entities using legacy SonicWall appliances. 

“Australian organisations must take urgent action to patch affected SonicWall systems and implement strong authentication and access control measures,” the ACSC stated. 

Reinforcement in SonicOS 7.3 

SonicWall has introduced enhanced protection in SonicOS 7.3, including brute-force detection, MFA control mechanisms, and improved admin account monitoring. However, the company warns that without these updates, environments remain susceptible to persistent attack campaigns. 

Further, administrators are encouraged to: 

• Remove unused or inactive accounts 

• Review recent configuration changes 

• Audit local admin credentials and logs 

• Rotate LDAP login/bind credentials where applicable 

References: 

• https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/ongoing-active-exploitation-of-sonicwall-ssl-vpns-in-australia?utm_source=x&utm_campaign=sep-2025&utm_medium=social&utm_content=sonicwall-alert 

• https://www.sonicwall.com/support/notices/gen-7-and-newer-sonicwall-firewalls-sslvpn-recent-threat-activity/250804095336430 

• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015