Campaign
Exploitation Wave
Vulnerability
Akira exploitation of SonicWall SSL VPN flaw CVE-2024-40766
Updated 04.12.2025 00:06
Case score 68
Why this score?
Case score is a discovery signal based on public evidence, not a guaranteed risk rating. Use it to decide what to review first, then verify important details from the linked sources.
- Total
- 68
- Main story score
- 62
- Related evidence lift
- +6 / 20
- Contributing updates
- 2
- Context updates
- 0
Top contributors
- Campaign Anchors the Akira-linked SonicWall access pattern and the confirmed Marquis ransomware fallout. main
- Campaign Adds the October 2025 widespread authenticated abuse across more than 100 accounts in 16 environments. contributes
- Vulnerability Provides the exact **CVE-2024-40766** flaw anchor, patch timing, and product-specific mitigation context. main
- Exploitation Wave Supplies the broader exploitation-wave context, post-login behavior, and immediate response guidance. contributes
Title history
-
Old: Akira abuse of SonicWall SSL VPN accessNew: Akira exploitation of SonicWall SSL VPN flaw CVE-2024-40766Why old title changed: The earlier title framed the story as generic access abuse. With the accepted vulnerability record, the activity is more clearly centered on a named, actively exploited **SonicWall SSL VPN** flaw that anchors both the intrusion pattern and the defensive response.The new title keeps the Akira and SonicWall focus while adding **CVE-2024-40766**, which better captures the reader-facing framing, the active-exploitation angle, and the remediation urgency without changing the public URL.
Case score 68
Members 4
Latest activity 04.12.2025 00:06
Active exploitation
Patch available
CVSS: 9.3 Critical
Members 4
First seen 11.09.2025 13:33
Last seen 28.09.2025 21:49
Updated 04.12.2025 00:06
Overview
**CVE-2024-40766** exploitation against **SonicWall SSL VPN** endpoints has become an Akira-linked intrusion and ransomware story, with attackers using malicious logins on exposed devices and, in some cases, abusing or bypassing OTP MFA. Activity observed from **October 4, 2025** spread across more than **100 accounts** in **16 environments** and in some intrusions quickly moved to scanning and Windows account access attempts.
**Marquis Software Solutions** later disclosed a ransomware intrusion through a SonicWall firewall that exposed data tied to **74 banks and credit unions** and affected more than **400,000 customers**. SonicWall customers have been urged to patch, rotate credentials, remove unused accounts, and tighten portal and lockout controls.
An access-control flaw in **SonicWall SSL VPN**, **CVE-2024-40766**, was patched in **August 2024** but remains tied to active Akira-linked intrusion activity against exposed devices. Reporting across the intrusion set points to malicious SSL VPN logins, reused or stolen credentials, and in some cases abuse or bypass of **OTP MFA** to gain entry. SonicWall configuration exposure around LDAP SSL VPN Default User Groups and the **Virtual Office Portal** can widen account permissions after access is obtained. Huntress said the latest burst began on **October 4, 2025** and affected more than **100 SonicWall SSL VPN accounts** across **16 customer environments**.
In investigated intrusions, authentications on the devices came from **202.155.8[.]73**, and some sessions quickly moved into network scanning, **Impacket SMB** activity, **Active Directory discovery**, and attempts to access local Windows accounts. Separate reporting described dozens of incidents over a three-month period tied to **CVE-2024-40766** abuse, reinforcing that the activity is not isolated to a single victim. **Marquis Software Solutions** later disclosed an August 14, 2025 ransomware intrusion through a SonicWall firewall that stole files from its systems, with state filings saying more than **400,000 customers** tied to **74 banks and credit unions** were affected. Defenders were told to patch to **7.3.0 or later**, rotate local credentials, remove unused accounts, enforce **MFA/TOTP**, restrict VPN and portal exposure, and enable botnet filtering and account lockout controls, while available evidence does not show that the **MySonicWall** backup-file exposure caused the later compromise spike.
Signals
8 derivedImpact signals
Exploitation
Exploitation
Active exploitation
CVSS
9.3 Critical
CVEs/products
CVE
Remediation
Remediation
Patch available
Status
Campaign status
Active
Threat context
Tooling
Ransomware
Akira
Affected surface
Affected organizations
74
Malware context
9 families · 9 toolsTools
Impacket
AnyDesk
Datto
LogMeIn
Megazord
Ngrok
AdaptixC2
Quick Assist
+1
Member happenings
4 related
Campaign
Akira ransomware group SonicWall initial-access campaign
Objective
Financial Extortion
Campaign
Active
Campaign
Akira ransomware group SonicWall initial-access campaign
Objective
Financial Extortion
Campaign
Active
Campaign
Akira SonicWall SSL VPN MFA-bypass campaign
Objective
Financial Extortion
Campaign
Active
Patch
Patch Available
Campaign
Akira SonicWall SSL VPN MFA-bypass campaign
Objective
Financial Extortion
Campaign
Active
Patch
Patch Available
Exploitation Wave
SonicWall SSL VPN exploitation wave (Akira-linked)
Exploitation
Active Exploitation
CVSS
9.3 Critical
Patch
Patch Available
Exploitation Wave
SonicWall SSL VPN exploitation wave (Akira-linked)
Exploitation
Active Exploitation
CVSS
9.3 Critical
Patch
Patch Available
Vulnerability
SonicWall SSL VPN access control flaw actively exploited (CVE-2024-40766)
Exploitation
Active Exploitation
Exploit
No Known Public Exploit
Data Type
Passwords
CVSS
9.3 Critical
+1
Vulnerability
SonicWall SSL VPN access control flaw actively exploited (CVE-2024-40766)
Exploitation
Active Exploitation
Exploit
No Known Public Exploit
Data Type
Passwords
CVSS
9.3 Critical
+1