Log in

Threat Advisory: Understanding the Recent SonicWall SSL VPN Vulnerability and How to Protect Your Clients

Andrew Scott

Over the past few days, the cybersecurity community has been buzzing about a SonicWall vulnerability that ransomware groups, including Akira, have been actively exploiting. While initial reports suggested a zero-day threat affecting even fully patched systems, the situation has been clarified—but the risk remains very real.

What We Know Now

The threat centers around CVE-2024-40766, a known vulnerability that affects SonicWall Gen 6 to Gen 7 firewall migrations. The vulnerability occurs specifically when local user passwords were carried over during migration and not reset, potentially leading to unauthorized resource access and system crashes.

According to SonicWall's official guidance, this isn't the zero-day many initially feared, but it's still being actively exploited by threat actors who use it to establish initial access to victim environments.

Why This Matters for MSPs

The Akira ransomware group and others are opportunistic, focusing on financial gain rather than targeting specific organizations. This puts SMBs and mid-market companies—and the MSPs who serve them—at heightened risk, especially given the common use of SonicWall network security solutions in these markets.

Akira employs double extortion techniques, stealing sensitive data before deploying ransomware. This creates additional pressure on victims to pay—not just to unlock encrypted data, but to prevent the leak of confidential information.

The Broader Security Challenge

This incident highlights a critical blind spot: organizations that focus primarily on endpoint and backup-centric defenses often miss intrusion attempts, unauthorized system access, and data exfiltration happening at the network level.

When threat actors gain initial access through vulnerabilities like this one, they move quickly. The window between initial compromise and ransomware deployment is often measured in hours, not days.

How Todyl Helps Mitigate These Risks

Our platform is designed to address exactly these types of multi-vector attacks:

Immediate Detection and Response

  • Our MXDR team continuously monitors and hunts for threat actor activity specifically related to SonicWall vulnerabilities
  • Our teams are working around the clock to keep you and your clients safe
  • Detection Engineering and MXDR teams are prepared to update rules within the Todyl Platform as needed

Network-Level Protection

  • Todyl SASE can serve as an alternative VPN solution while SonicWall vulnerabilities are addressed
  • Conditional access policies restrict access to only protected devices
  • Network segmentation through LAN Zero Trust prevents lateral movement and ransomware spread

Comprehensive Visibility

  • SIEM integration provides unified visibility across all security tools and data sources
  • EDR/NGAV in prevent mode stops malicious activity before it can cause damage
  • Application blocklist policies prevent unauthorized remote access tools commonly used in attacks

Todyl's Mitigation Recommendations

Our Field CISO and Security teams recommend the following steps to mitigate the risks of initial access, data exfiltration, and ransomware deployment:

  1. Apply any recommended SonicWall remediation steps
  2. Enable MFA for locally managed SSL VPN accounts - this appears to be the primary initial vector for CVE-2024-40766
  3. Consider temporarily disabling SonicWall VPN services and enabling Todyl SASE as an always-on VPN until full root cause analysis and patching is complete
  4. Apply conditional access policies using Todyl SASE NGFW to restrict access to only Todyl protected devices
  5. Enforce MFA by policy for all users via Todyl SASE, especially for access to sensitive or mission critical systems
  6. Restrict internal access via Todyl SASE to sensitive systems using least privilege principles
  7. Ensure EDR/NGAV policies are in Prevent mode and apply application blocklist policies for unapproved remote management tools
  8. Apply network segmentation through LAN Zero Trust to prevent lateral movement and ransomware spread
  9. Ensure Todyl SIEM ingests all available integration data, especially from systems that monitor or hold sensitive information
  10. Hunt for indicators of compromise or leverage Todyl MXDR for continuous monitoring and investigation
  11. Review incident response plans and ensure backups and disaster recovery plans are current and maintained

The Bottom Line

While this SonicWall vulnerability has been clarified and isn't the zero-day initially feared, it demonstrates why layered security and continuous monitoring are essential. Threat actors are constantly looking for ways to establish initial access, and they move fast once they're in.

The organizations that weather these storms best are those with comprehensive security platforms, proactive monitoring, and rapid response capabilities in place before an incident occurs.

Need Help?

If you have questions about this threat or want to discuss how Todyl can help protect your clients from these types of attacks, reach out to your Channel Account Manager. Our team is here to help you navigate these challenges and keep your clients secure.

Todyl updates

Sign-up to get the latest from Todyl sent straight to your inbox.
Log in  >
Get a demo  >
Request pricing  >
Todyl Logo
Platform
SASESIEMEDR/NGAVMXDRGRC
Solutions
Modular and Scalable
SecurityModernize Cybersecurity
StrategyConsolidate with Single
Agent
Empower IT to Own
CybersecurityMaximize Cybersecurity
Resources
Resources
Resource Center
Blog
Insights
Todyl
About UsChannel PartnersContact
© Todyl 2025
PrivacyTerms & ConditionsSystem Description