On April 16, 2026, SonicWall ended support for its Generation 6 firewalls, but an audit published by the SANS Internet Storm Center covering 14 Gen7 devices reveals a deeper problem: the firmware patch for CVE-2024-40766 fixed the technical vulnerability, yet the attack surface persists through unsanitized residual configurations. Attackers are not developing new exploits; they are accessing systems with valid credentials on accounts that should not exist.
- Of 14 audited SonicWall Gen7 firewalls, 12 had local SSLVPN accounts absent from Active Directory, and 11 had not rotated passwords after the Gen6 upgrade.
- 9 of 14 devices mapped the Default LDAP User Group to a group with SSLVPN access, implicitly granting permissions to every domain account.
- Arctic Wolf documented dwell times under 4 hours, with cases as short as 55 minutes from initial access to encryption.
- SonicWall confirmed with high confidence that 2025 activity traced to the known CVE-2024-40766, not a new zero-day.
From KEV to "Configuration Debt": What Changes After the Patch
CVE-2024-40766 is an improper access vulnerability in SonicOS with a CVSS 9.3 per SANS ISC, affecting Generations 5, 6, and 7. The National Vulnerability Database records the CVSS:3.1 vector as AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. CISA added the CVE to the KEV catalog on September 9, 2024, with two remediation deadlines set for September 30, 2024. Ransomware groups including Akira and Fog exploited the flaw starting in September 2024.
The technical fix is available, but the SANS analysis of 14 firewalls demonstrates that firmware remediation did not sanitize the configuration dimension. The quantitative data is stark: 12 of 14 devices hosted local SSLVPN accounts absent from Active Directory; 11 of 14 had not rotated local account passwords after the firmware upgrade; 10 of 14 operated without source-IP restrictions on SSLVPN authentication; 9 of 14 had the Default LDAP User Group mapped to a group with SSLVPN permissions.
This last point is particularly significant. The Default LDAP User Group implicitly inherits permissions assigned to the referenced group: if that group includes SSLVPN access, every Active Directory account acquires that capability without explicit configuration. According to SANS, on 7 of 14 devices the Virtual Office Portal was exposed to the internet, allowing an attacker with valid credentials to self-enroll a TOTP device and bypass MFA.
"The attackers are not breaking in through novel exploits. They are logging in with valid credentials to accounts that should not exist on devices that were patched but never cleaned up." — SANS Internet Storm Center
The Gen6→Gen7 Migration: Migration: Carrying Over Unreset Credentials
SonicWall, via the updated advisory cited by Huntress, confirmed that "many of the incidents appear to relate to migrations from sixth-generation to seventh-generation firewalls, where local user passwords were carried over during the migrations and were not reset after." Generation 6 reached EOL on April 16, 2026, ruling out further patches.
The mechanism is identifiable: during migration, configuration transfer tools preserve local accounts and their hashes. If passwords are not explicitly reset, stale accounts—often created years earlier for administrators or vendors—remain active with credentials potentially compromised in prior breaches or exposed through other channels.
SANS flags a specific indicator of compromise: "A human administrator does not create accounts with null bytes in the username." The presence of such accounts suggests automated creation by exploitation tooling, distinguishing technical compromise artifacts from legitimate configurations.
The Industrialization of Access: Akira, Fog, and Dwell Time
The distribution of ransomware groups in 2025 intrusions is asymmetric: roughly 75% attributable to Akira, 25% to Fog. Arctic Wolf data indicates dwell times under 4 hours, with a documented case of 55 minutes from initial access to encryption. This speed is consistent with the use of valid credentials rather than the research and development of zero-day exploits.
Macnica estimated approximately 48,933 devices still publicly exposed and unpatched as of December 2024, against an installed base of nearly 500,000 businesses in 215 countries. The figure concerns exposure, not compromise: not all exposed devices have been breached.
SonicWall also documented an evolution in its internal estimates: the percentage of MySonicWall customers with compromised backups rose from under 5% initially to 100% by September 2025, indicating attackers progressively exhausted the pool of vulnerable targets.
Why It Matters
The dossier does not specify automatable remediation measures for the configuration dimension. The original vendor advisory includes recommendations for IP restriction, MFA, and password rotation, but does not explicitly address the post-migration persistence problem. The source does not document whether CVE-2024-12802, an MFA authentication bypass with CVSS 9.1 requiring 6 manual LDAP steps beyond the firmware patch, also affects Generation 7: the brief mentions it only for Gen6.
SANS does not qualify the 14 audited firewalls as a representative sample of the global installed base, and the exact publication date of the analysis is not captured in the RSS feed. The total number of organizations actually compromised remains unknown, as does the extent of the MySonicWall platform compromise: the dossier does not establish whether encrypted credentials were actually decrypted by attackers.
The episode demonstrates the limits of the "patch-and-forget" model when the vulnerability includes a configuration dimension not automatable by the vendor. Technically compliant devices remain operationally compromised, and attackers industrialize access through residual credentials rather than investing in new exploits. For the enterprise sector, the question is not whether to patch, but what happens after.
Frequently Asked Questions
Is the patch for CVE-2024-40766 ineffective?
No. The patch fixes the technical improper access control vulnerability. The problem is that remediation did not include sanitization of residual configurations, allowing attackers to bypass the protection with valid credentials.
Can I verify if my firewall is at risk?
The SANS audit indicates five verification items: local SSLVPN accounts not present in Active Directory, passwords not rotated post-upgrade, absence of source-IP restrictions, Default LDAP User Group mapped to a group with SSLVPN access, Virtual Office Portal exposed to the internet. The source does not provide automated tools for this verification.
What is the relationship between CVE-2024-40766 and CVE-2024-12802?
They are distinct vulnerabilities. CVE-2024-12802 is an MFA bypass with CVSS 9.1 requiring 6 manual LDAP steps beyond the firmware patch. The brief mentions it only for Generation 6, not documenting its presence on Gen7.
Information is based on the cited source and current as of publication.
Sources
- https://isc.sans.edu/diary/rss/33094
- https://nvd.nist.gov/vuln/detail/cve-2024-40766
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015
- https://www.huntress.com/blog/exploitation-of-sonicwall-vpn