"This setting automatically adds every successfully authenticated LDAP user to a predefined local group, regardless of their actual membership in Active Directory. If that default group has access to sensitive services - such as SSL VPN, administrative interfaces, or unrestricted network zones - then any compromised AD account, even one with no legitimate need for those services, will instantly inherit those permissions."
"Rapid7 said it observed a spike in intrusions involving SonicWall appliances over the past month, particularly following reports about renewed Akira ransomware activity since late July 2025. Rapid7, in its alert, said it has also observed threat actors accessing the Virtual Office Portal hosted by SonicWall appliances, which, in certain default configurations, can facilitate public access and enable attackers to configure mMFA/TOTP with valid accounts, assuming there is a prior credential exposure."
Rapid7 observed a spike in intrusions targeting SonicWall appliances after renewed Akira ransomware activity since late July 2025. SonicWall identified SSL VPN exploitation of CVE-2024-40766 (CVSS 9.3), where local user passwords were carried over during migration and not reset. SonicWall reported increased brute-force attempts and recommended enabling Botnet Filtering and Account Lockout policies. SonicWall also warned that LDAP SSL VPN Default User Groups can automatically grant authenticated LDAP users local group privileges, potentially giving compromised AD accounts access to sensitive services and bypassing AD group-based access controls. Rapid7 observed abuse of the Virtual Office Portal to configure mMFA/TOTP after credential exposure.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]