Security Operations , SOC , Vulnerability Management , Patch/Configuration Management , Ransomware SonicWall releases firmware updates for three CVEs May 1, 2026 Share By Steve Zurier (SonicWall) SonicWall on April 29 released firmware updates to three vulnerabilities affecting Gen 6, Gen 7 and Gen 8 of its firewall platforms. According to a SonicWall advisory , one of the three CVEs — CVE-2026-0204 — was rated 8.3 high-severity, while the other two — CVE-2026-0205 and CVE-2026-0206 — are rated medium-severity. Security experts said given the tendency of ransomware groups such as Akira attacking SonicWall firewalls over the past year, teams should patch right away. “Akira has already built a ransomware business around SonicWall exposure,” said Denis Calderone, Principal/CTO at Suzu Labs. “The 2026 InsurSec Report by At-Bay shows that Akira accounted for more than 40% of ransomware claims in its portfolio, and SonicWall appliances were present in 86% of Akira attacks. That is a pretty tried and true playbook.” Shane Barney, chief information security officer at Keeper Security, pointed out that most organizations extend implicit trust to their firewall: it’s the enforcer — the device that decides what gets in and what doesn't. Barney said that’s what makes the high-severity CVE-2026-0204 bug so consequential is that an attacker who gains access to the management interface doesn't need to fight through our defenses. Rather, the attackers can simply rewrite them, modifying configurations, disabling protections and creating the conditions for a much larger attack, all while the rest of our security stack sees nothing unusual. Barney added that the two medium-severity CVEs carry less immediate risk, but teams should also patch them. “Authentication requirements are only as strong as the credentials behind them, and patching all three should be the priority,” said Barney. Sam Decker, a threat intelligence engineer at Blackpoint Cyber, said he considers this a “patch now” situation. “Edge devices like firewalls and VPNs have become one of the most common way attackers get into networks, and we see that play out in real incidents all the time,” said Decker. “Threat actors are monitoring for these disclosures and they move fast; it’s very likely threat actors will begin targeting these vulnerabilities over the next 30-60 days.” Suzu Labs’ Calderone added that while the new SonicOS flaws are not reported as exploited in the wild yet, SonicWall customers do not have the luxury of waiting for that to change. Calderone pointed to CVE-2024-40766 a flaw that was patched in 2024 but organizations still got hit a year later because migrated local accounts, SSL VPN credentials, MFA configuration, and monitoring were not cleaned up. “Akira affiliates were getting from VPN access to ransomware in hours, sometimes faster,” said Calderone. “So yes, apply the firmware.” Calderone also said teams should also take the following steps: Disable HTTP and HTTPS management from untrusted networks. Restrict SSL VPN exposure where possible. Reset local and migrated VPN credentials. Audit LDAP and service accounts. Monitor for VPN logins from VPS and hosting providers. An In-Depth Guide to Ransomware Get essential knowledge and practical strategies to protect your organization from ransomware attacks. Learn More Steve Zurier Related Security Operations FCC approves new rules to combat robocalls and bolster cybersecurity SC Staff May 1, 2026 The commission unanimously passed measures to strengthen the "Know Your Customer" requirements for telecommunications companies, mandating more thorough identity verification for service enablement. Security Operations State cybersecurity leaders discuss prioritizing security upgrades SC Staff May 1, 2026 During a National Association of State Chief Information Officers conference, officials like Rex Menold, Michigan's chief security officer, shared that agencies, not central IT, often decide on security priorities. Security Operations Hackers accidentally leak database of stolen credit cards due to AI coding error SC Staff May 1, 2026 Hackers utilized an AI-assisted development tool called Cursor to build a statistics dashboard for Jerry's Store. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Blue Team Bug Buffer Overflow Cold Warm Hot Disaster Recovery Site Countermeasure Cron Daemon Disassembly Disaster Recovery Plan (DRP) You can skip this ad in 5 seconds