Critical Access Control Vulnerability Detected in SonicWall’s SonicOS
August 26, 2024
SonicWall has issued a warning about a critical access control flaw in its SonicOS that could potentially grant attackers unauthorized access to resources or cause the firewall to crash. The flaw has been assigned the identifier CVE-2024-40766 and given a severity score of 9.3 based on the CVSS v3 standard, due to its network-based attack vector, low complexity, lack of authentication requirement, and lack of user interaction requirement. SonicWall's bulletin reads, "An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash."
This flaw impacts SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions. SonicWall advises system administrators to upgrade to versions of SonicOS that address CVE-2024-40766. These security updates are available for download on mysonicwall.com. For those who cannot immediately apply the fixes, SonicWall recommends restricting firewall management access to trusted sources or disabling WAN management access from the internet. Guidance on how to do this can be found on SonicWall's help page.
SonicWall firewalls are widely deployed in a variety of mission-critical industries and corporate environments, and are frequently targeted by threat actors seeking initial access to corporate networks. In March 2023, SonicWall Secure Mobile Access (SMA) appliances were attacked by suspected Chinese hackers, tracked as UNC4540, using custom malware that could persist through firmware upgrades. The US Cybersecurity & Infrastructure Security Agency (CISA) has been warning about active exploitation of vulnerabilities in SonicWall appliances since 2022.
Latest News
- Versa Networks Addresses Zero-Day Vulnerability in Director Platform
- Chinese Hackers Leverage Zero-Day Cisco Switch Flaw for System Control
- SolarWinds Addresses Critical Vulnerability in Web Help Desk Software
- Google Addresses Ninth Exploited Chrome Zero-Day Vulnerability of 2024
- Styx Stealer's Creator Unmasked Due to Operational Security Error
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.