CVE-2024-40766 could lead to unauthorised access or denial-of-service

Threat ID:CC-4545

Threat Severity:Medium

Published:6 September 2024 12:20 PM

Summary

Affected platforms

The following platforms are known to be affected:

SonicWall SonicOS

SOHO (Generation 5): version 5.9.2.14-12o and earlier

Generation 6: version 6.5.4.14-109n and earlier

Generation 7: version 7.0.1-5035 and earlier

Threat details

Evidence of exploitation

SonicWall has updated their advisory to reflect potential exploitation of CVE-2024-40766 in the wild.

SSLVPN and firewall appliances are internet-facing by design and frequent targets for cyber threat groups. Vulnerabilities in SSLVPN and firewall appliances are often exploited soon after official disclosure and broader exploitation is expected.

Introduction

SonicWall has released a security advisory to address a critical vulnerability in SonicOS management access and SSLVPN, affecting their SOHO (Generation 5), Generation 6, and Generation 7 appliances. SonicWall appliances are security appliances that provide virtual private network (VPN) and 'next-gen' firewall capabilities. The SonicWall advisory has been updated to reflect reports of exploitation.

CVE-2024-40766 is an 'Improper Access Control' vulnerability with a CVSSv3 score of 9.3. Successful exploitation by an unauthenticated, remote attacker could lead to unauthorised resource access or allow the attacker to crash the firewall, leading to a denial-of-service condition.

Remediation advice

Affected organisations are encouraged to review SonicWall advisory SNWLID-2024-0015 and apply the relevant updates.

Definitive source of threat updates

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015

CVE Vulnerabilities

StatusPublished

CVE-2024-40766An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash. This issue affects SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions.

Last edited: 6 September 2024 12:20 pm