Akira exploitation of SonicWall SSL VPN flaw CVE-2024-40766

An access-control flaw in **SonicWall SSL VPN**, **CVE-2024-40766**, was patched in **August 2024** but remains tied to active Akira-linked intrusion activity against exposed devices. Reporting across the intrusion set points to malicious SSL VPN logins, reused or stolen credentials, and in some cases abuse or bypass of **OTP MFA** to gain entry. SonicWall configuration exposure around LDAP SSL VPN Default User Groups and the **Virtual Office Portal** can widen account permissions after access is obtained. Huntress said the latest burst began on **October 4, 2025** and affected more than **100 SonicWall SSL VPN accounts** across **16 customer environments**. In investigated intrusions, authentications on the devices came from **202.155.8[.]73**, and some sessions quickly moved into network scanning, **Impacket SMB** activity, **Active Directory discovery**, and attempts to access local Windows accounts. Separate reporting described dozens of incidents over a three-month period tied to **CVE-2024-40766** abuse, reinforcing that the activity is not isolated to a single victim. **Marquis Software Solutions** later disclosed an August 14, 2025 ransomware intrusion through a SonicWall firewall that stole files from its systems, with state filings saying more than **400,000 customers** tied to **74 banks and credit unions** were affected. Defenders were told to patch to **7.3.0 or later**, rotate local credentials, remove unused accounts, enforce **MFA/TOTP**, restrict VPN and portal exposure, and enable botnet filtering and account lockout controls, while available evidence does not show that the **MySonicWall** backup-file exposure caused the later compromise spike.