SonicWall SSL VPN access control flaw actively exploited (CVE-2024-40766)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2024-40766 is a SonicWall SSL VPN access control flaw that has been actively exploited to breach exposed devices, with Akira ransomware tied to the campaign. Recent reporting says attackers used malicious SSL VPN logins and, in some cases, were able to bypass or abuse OTP MFA, then move to port scanning, Impacket SMB activity, and rapid ransomware deployment. The campaign has been observed across multiple victims and has remained active since mid-2024, with new infrastructure and incidents continuing into 2025.
Cases
Related Happenings
Sharp rise in brute-force attempts against SonicWall and Fortinet edge devices
Target Trend
First: 15.04.2026 12:30
Last: 15.04.2026 12:30
Sources 1
About this happening:
A **sharp rise** in brute-force attempts against **SonicWall** and **Fortinet** edge devices is increasing risk of perimeter-device compromise across organizations that rely on VP...
Sharp rise in brute-force attempts against SonicWall and Fortinet edge devices
Target TrendAbout this happening: A **sharp rise** in brute-force attempts against **SonicWall** and **Fortinet** edge devices is increasing risk of perimeter-device compromise across organizations that rely on VP...
APT28 SOHO router DNS hijacking and credential theft campaign
Campaign
First: 07.04.2026 18:30
Last: 07.04.2026 18:30
Sources 1
About this happening:
**APT28** is running **two malicious campaigns** that abuse **vulnerable SOHO routers** and attacker-controlled **DNS/VPS infrastructure** to reroute traffic and steal credentials...
APT28 SOHO router DNS hijacking and credential theft campaign
CampaignAbout this happening: **APT28** is running **two malicious campaigns** that abuse **vulnerable SOHO routers** and attacker-controlled **DNS/VPS infrastructure** to reroute traffic and steal credentials...
Latest development: 08.04.2026 13:03
On April 7, 2026, the US Department of Justice and the FBI said they neutralized the US portion of APT28’s DNS hijacking network, which spanned more than 23 US states and used compromised SOHO routers, especially TP-Link routers, to redirect traffic through attacker-controlled DNS servers and steal credentials from targeted organizations. The FBI said it was working with ISPs to notify affected users, and court-authorized remediation steps can reset router DNS settings, remove APT28-installed resolvers, and prevent further abuse of the original access path.
F5 BIG-IP APM active exploitation wave (CVE-2025-53521)
Exploitation Wave
First: 02.04.2026 11:25
Last: 02.04.2026 11:25
Sources 1
About this happening:
As of **2026-04-02**, ongoing attacks are exploiting **CVE-2025-53521** against **F5 BIG-IP APM** systems, leaving more than **14,000** exposed online and at risk of remote code e...
F5 BIG-IP APM active exploitation wave (CVE-2025-53521)
Exploitation WaveAbout this happening: As of **2026-04-02**, ongoing attacks are exploiting **CVE-2025-53521** against **F5 BIG-IP APM** systems, leaving more than **14,000** exposed online and at risk of remote code e...
2025 Rise in legitimate-access intrusions across enterprise sectors
Target Trend
First: 01.04.2026 17:05
Last: 01.04.2026 17:05
Sources 1
About this happening:
**Legitimate access abuse** is now a leading intrusion pattern across **2025** investigations, increasing the risk of stealthy compromise across **manufacturing, healthcare, MSPs,...
2025 Rise in legitimate-access intrusions across enterprise sectors
Target TrendAbout this happening: **Legitimate access abuse** is now a leading intrusion pattern across **2025** investigations, increasing the risk of stealthy compromise across **manufacturing, healthcare, MSPs,...
React2Shell (CVE-2025-55182) mass scanning and exploitation wave
Exploitation Wave
First: 20.02.2026 23:07
Last: 20.02.2026 23:07
Sources 1
About this happening:
**CVE-2025-55182 (React2Shell)** is being **actively exploited** across **React Server Components (RSC)** and **Next.js** environments, with reports now adding a **ransomware gang...
React2Shell (CVE-2025-55182) mass scanning and exploitation wave
Exploitation WaveAbout this happening: **CVE-2025-55182 (React2Shell)** is being **actively exploited** across **React Server Components (RSC)** and **Next.js** environments, with reports now adding a **ransomware gang...
Timeline
-
29.09.2025 12:32 4 articles · 8mo ago
Akira expands SonicWall CVE-2024-40766 exploitation
Campaign Scope UpdateAkira ransomware remains active against SonicWall firewalls, with Arctic Wolf observing dozens of incidents over the past three months tied to CVE-2024-40766 abuse, SSL VPN logins from VPS hosting providers, Impacket SMB activity, and Active Directory discovery. The campaign targets SSL VPN accounts using OTP MFA, and Barracuda separately observed Akira affiliates using Datto RMM, backup agents, and PowerShell to gain control while avoiding security alerts.
Show sources
- Akira Ransomware’s Exploitation of SonicWall Vulnerability Continues — www.securityweek.com — 29.09.2025 12:32
- Akira Hits SonicWall VPNs in Broad Ransomware Campaign — www.darkreading.com — 29.09.2025 23:53
- Akira Ransomware Haul Surpasses $244M in Illicit Proceeds — www.infosecurity-magazine.com — 14.11.2025 13:13
- Marquis data breach impacts over 74 US banks, credit unions — www.bleepingcomputer.com — 04.12.2025 00:06
-
11.09.2025 19:32 2 articles · 8mo ago
SonicWall SSL VPN access control flaw actively exploited (CVE-2024-40766)
Initial DisclosureSonicWall patched **CVE-2024-40766** in **August 2024** after identifying an **access control** flaw that could enable **unauthorized resource access** and trigger **firewall crashes**. The bug affects exposed **SSLVPN** endpoints across several firewall generations.
Show sources
- Akira ransomware exploiting critical SonicWall SSLVPN bug again — www.bleepingcomputer.com — 11.09.2025 19:32
- Akira ransomware exploiting critical SonicWall SSLVPN bug again — www.bleepingcomputer.com — 11.09.2025 19:32