CISA Adds SonicOS Vulnerability to KEV Catalog

Today, CISA added three vulnerabilities to their Known Exploited Vulnerabilities (KEV) Catalog, including CVE-2024-40766, an improper access control vulnerability in the SonicWall SonicOS operating system. SonicWall published their advisory for this vulnerability on August 22^nd, and most recently updated it on September 6^th, 2024. That update added the notification that “This vulnerability is potentially being exploited in the wild.” SonicWall has new versions that mitigate the vulnerability.

 

CISA is requiring federal agencies using SonicOS to: “Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.” This is required to be accomplished by September 30^th, 2024. All other organizations using the affected products should consider doing the same.