SonicWall SSL VPN CVE-2024-40766 active exploitation wave
Exploitation Wave
Summary
Hide ▲
Show ▼
Akira is driving a renewed wave of active exploitation of CVE-2024-40766 against SonicWall SSL VPNs, creating immediate unauthorized-access risk for exposed devices. The activity has intensified in Australia and is tied to still-unpatched endpoints and credential reuse. SonicWall says the abuse is linked to the known flaw, not a zero-day, and urges urgent patching, password resets, and MFA.
Related Happenings
Cisco security patch release for CVE-2026-20184
Security Patch Release
First: 16.04.2026 14:27
Last: 16.04.2026 14:27
Sources 1
About this happening:
**Cisco** released patches for **four critical flaws** affecting **Identity Services Engine (ISE)**, **ISE-PIC**, and **Webex Services**, closing paths to **arbitrary code executi...
Cisco security patch release for CVE-2026-20184
Security Patch ReleaseAbout this happening: **Cisco** released patches for **four critical flaws** affecting **Identity Services Engine (ISE)**, **ISE-PIC**, and **Webex Services**, closing paths to **arbitrary code executi...
Sharp rise in brute-force attempts against SonicWall and Fortinet edge devices
Target Trend
First: 15.04.2026 12:30
Last: 15.04.2026 12:30
Sources 1
About this happening:
A **sharp rise** in brute-force attempts against **SonicWall** and **Fortinet** edge devices is increasing risk of perimeter-device compromise across organizations that rely on VP...
Sharp rise in brute-force attempts against SonicWall and Fortinet edge devices
Target TrendAbout this happening: A **sharp rise** in brute-force attempts against **SonicWall** and **Fortinet** edge devices is increasing risk of perimeter-device compromise across organizations that rely on VP...
Cisco IMC password change authentication bypass (CVE-2026-20093)
Vulnerability
First: 02.04.2026 14:01
Last: 02.04.2026 14:01
Sources 1
About this happening:
Cisco released **security updates** for **Cisco IMC/CIMC** after a **password-change authentication bypass** was found that lets **unauthenticated attackers** gain **Admin access*...
Cisco IMC password change authentication bypass (CVE-2026-20093)
VulnerabilityAbout this happening: Cisco released **security updates** for **Cisco IMC/CIMC** after a **password-change authentication bypass** was found that lets **unauthenticated attackers** gain **Admin access*...
F5 BIG-IP APM active exploitation wave (CVE-2025-53521)
Exploitation Wave
First: 02.04.2026 11:25
Last: 02.04.2026 11:25
Sources 1
About this happening:
As of **2026-04-02**, ongoing attacks are exploiting **CVE-2025-53521** against **F5 BIG-IP APM** systems, leaving more than **14,000** exposed online and at risk of remote code e...
F5 BIG-IP APM active exploitation wave (CVE-2025-53521)
Exploitation WaveAbout this happening: As of **2026-04-02**, ongoing attacks are exploiting **CVE-2025-53521** against **F5 BIG-IP APM** systems, leaving more than **14,000** exposed online and at risk of remote code e...
2025 Rise in legitimate-access intrusions across enterprise sectors
Target Trend
First: 01.04.2026 17:05
Last: 01.04.2026 17:05
Sources 1
About this happening:
**Legitimate access abuse** is now a leading intrusion pattern across **2025** investigations, increasing the risk of stealthy compromise across **manufacturing, healthcare, MSPs,...
2025 Rise in legitimate-access intrusions across enterprise sectors
Target TrendAbout this happening: **Legitimate access abuse** is now a leading intrusion pattern across **2025** investigations, increasing the risk of stealthy compromise across **manufacturing, healthcare, MSPs,...
Timeline
-
11.09.2025 19:32 2 articles · 8mo ago
ACSC warns on renewed Akira exploitation of SonicWall SSL VPNs
Initial DisclosureOn 2025-09-11, the Australian Cyber Security Center warned that Akira ransomware was targeting vulnerable Australian organizations through SonicWall SSL VPNs, while SonicWall said the recent SSLVPN activity had high confidence correlation with CVE-2024-40766 rather than a zero-day. Rapid7 reported that Akira attacks on SonicWall devices had recently re-ignited, likely tied to incomplete remediation, and SonicWall said it was investigating up to 40 related security incidents. SonicWall had previously patched CVE-2024-40766 in August 2024 and advised administrators to rotate locally managed SSLVPN passwords, enforce MFA, mitigate SSLVPN Default Groups risk, and restrict Virtual Office Portal access because exposed credentials could be reused to regain access.
Show sources
- Akira ransomware exploiting critical SonicWall SSLVPN bug again — www.bleepingcomputer.com — 11.09.2025 19:32
- Akira ransomware exploiting critical SonicWall SSLVPN bug again — www.bleepingcomputer.com — 11.09.2025 19:32