A recent series of ransomware attacks has put SonicWall’s Gen 7 firewalls in the spotlight, raising questions across the cybersecurity industry about the underlying cause. Security teams and IT administrators are closely watching developments as information emerges about how attackers accessed corporate networks. Organizations relying on SonicWall products have been compelled to reevaluate their patch management and migration practices. The incidents demonstrate that even well-publicized vulnerabilities and existing guidance can still leave systems exposed under certain conditions.
Recent reports about SonicWall firewalls have often centered on zero-day vulnerabilities or previously undisclosed issues linked to ransomware attacks. In the past, public attention was drawn toward SonicWall following incidents involving different ransomware strains and other critical defects, especially after the company was repeatedly added to exploited vulnerability lists. While past events have highlighted the importance of quick patch adoption, this case adds nuance regarding migration procedures and user configuration. The series of attacks discussed here brings renewed focus to the operational side of defense, not just patching but also post-migration security hygiene.
How Did SonicWall Respond to the Attacks?
SonicWall has dismissed suggestions of a new zero-day vulnerability impacting its Gen 7 firewalls, instead stating that the attacks stem from a previously disclosed issue, CVE-2024-40766. This improper access control flaw in SonicOS, assigned a CVSS score of 9.8, was publicly detailed and patched in August 2024. SonicWall emphasized,
“We have high confidence that this activity is related to CVE-2024-40766,”
reinforcing that the vulnerability is not unknown or newly discovered.
Who Is Most at Risk from the Recent Incidents?
Underlying risk factors have been identified among organizations that recently migrated from Gen 6 to Gen 7 firewalls without changing default or existing passwords. Some cybersecurity firms, including Huntress and GuidePoint Research, have found that the vast majority of victims number under 40, with attacks concentrated primarily on those who did not follow recommended post-migration security steps. Huntress also reported exceptions, noting some new Gen 7 installations that were compromised regardless of prior configurations, suggesting additional vulnerabilities or misconfigurations may be involved.
What Kind of Ransomware Is Involved and What Guidance Has SonicWall Offered?
The Akira ransomware group has been strongly associated with these attacks. Akira affiliates typically attempt to steal data before encrypting systems and demanding payment for decryption. According to advisories, Akira has been linked to over 250 incidents, with nearly $42 million extorted. In terms of mitigation, SonicWall has updated its guidance, instructing customers to upgrade to SonicOS 7.3.0 and reset user credentials to strengthen defenses. The company stated,
“If any local administrator accounts have been compromised through CVE-2024-40766, attackers may exploit administrative features… to obtain additional credentials or weaken the overall security posture.”
Recent SonicWall guidance also advises against disabling SSLVPN on Gen 7 devices and instead favors layered authentication support. While some attacks involved customers with the patch already applied, lingering risks due to improper migration practices or legacy password retention have highlighted the complexity of maintaining secure firewall environments. The company’s appearance on CISA’s exploited vulnerabilities catalog repeatedly since 2021 points to a persistent threat landscape and the need for ongoing vigilance.
Continuous targeting of SonicWall products has emphasized that disclosure and patching do not always equate to comprehensive protection. The effectiveness of operational controls—such as password changes, configuration reviews, and attentive incident monitoring—often determines whether organizations remain secure. Those relying on SonicWall’s Gen 7 firewalls should prioritize not only the application of existing patches but also evaluate their security postures in light of recent attack vectors. Monitoring for signs of compromise and verifying configuration integrity are crucial for defense against variants like Akira ransomware, especially as attackers adapt tactics based on user behavior and migration patterns. Alerts about the same vulnerability repeatedly entering exploited lists underscore the recurring nature of these risks and the importance of timely, thorough response. Security professionals should use this case as a prompt to scrutinize not just their patch status, but the completeness of their migration and credential management procedures as well.
