SonicWall dismisses zero-day fears after Ransomware probe
August 08, 2025 
SonicWall found no evidence of a new vulnerability after probing reports of a zero-day used in ransomware attacks.
SonicWall investigated claims of a zero-day being used in ransomware attacks but found no evidence of any new vulnerability in its products.
SonicWall launched the investigation after a surge in Akira ransomware attacks targeting Gen 7 firewalls with SSLVPN enabled. The company worked to determine if the incidents stem from an existing flaw or a newly discovered vulnerability.
“Over the past 72 hours, there has been a notable increase in both internally and externally reported cyber incidents involving Gen 7 SonicWall firewalls where SSLVPN is enabled.” reads the statement published by the vendor. This includes threat activity highlighted by third-party cybersecurity research teams such as:
- Arctic Wolf
- Google Mandiant
- Huntress
We are actively investigating these incidents to determine whether they are connected to a previously disclosed vulnerability or if a new vulnerability may be responsible.”
Arctic Wolf Labs researchers reported that Akira ransomware is exploiting SonicWall SSL VPNs in a likely zero-day attack, targeting even fully patched devices. Arctic Wolf Labs observed multiple intrusions via VPN access in late July 2025. Evidence suggests a likely zero-day in SonicWall VPNs, as fully patched devices with MFA and rotated credentials were still compromised in some attacks.
“While credential access through brute force, dictionary attacks, and credential stuffing have not yet been definitively ruled out in all cases, available evidence points to the existence of a zero-day vulnerability.” reads the report published by Arctic Wolf Labs. “In some instances, fully patched SonicWall devices were affected following credential rotation. Despite TOTP MFA being enabled, accounts were still compromised in some instances.”
Ransomware activity targeting SonicWall SSL VPNs surged from July 15, 2025, with similar cases dating back to October 2024. Attackers often used VPS hosting for VPN logins, unlike legitimate access from ISPs. Arctic Wolf observed short delays between access and encryption and is applying its own recommended defenses internally.
The researchers recommend that organizations consider disabling the SonicWall SSL VPN service until a patch is made available and deployed.
Cybersecurity firm Huntress detected about 20 attacks since July 25, 2025, using tools like AnyDesk, ScreenConnect, and SSH. The activity appears limited to TZ and NSa-series SonicWall firewalls with SSLVPN enabled, likely exploiting a flaw in firmware versions 7.2.0-7015 and earlier.
SonicWall advises enabling security services like Botnet Protection, enforcing MFA for all remote access, and removing unused firewall accounts. The experts recommend regular password updates. To limit exposure to malicious VPN logins, organizations should consider blocking VPN authentication from hosting-related ASNs, though full blocking could disrupt operations. These steps help improve security but may not fully prevent the described threat.
SonicWall urges Gen 7 firewall users to immediately apply key mitigations amid an ongoing investigation. Recommended actions include disabling SSLVPN where possible, restricting access to trusted IPs, enabling security services like Botnet Protection and Geo-IP Filtering, enforcing MFA (though it may not fully prevent the threat), removing unused accounts, especially those with SSLVPN access, and maintaining strong password practices. These steps aim to reduce risk while SonicWall continues its investigation.
SonicWall has now confirmed that there’s no zero-day involved in recent ransomware attacks, but rather the exploitation of a known flaw, CVE-2024-40766. This vulnerability, disclosed in September 2024, was used by threat actors, particularly in Akira ransomware attacks, to steal device credentials. While many systems have since been patched, attackers can still access them if credentials weren’t changed. Fewer than 40 related incidents are under investigation by SonicWall, mostly tied to firewall migrations.
“We now have high confidence that the recent SSLVPN activity is not connected to a zero-day vulnerability. Instead, there is a significant correlation with threat activity related to CVE-2024-40766, which was previously disclosed and documented in our public advisory SNWLID-2024-0015.” reads the advisory published by the security vendor.
“We are currently investigating less than 40 incidents related to this cyber activity. Many of the incidents relate to migrations from Gen 6 to Gen 7 firewalls, where local user passwords were carried over during the migration and not reset. Resetting passwords was a critical step outlined in the original advisory. “
The vendor advises updating to firmware 7.3.0+ and resetting all local passwords, especially for SSLVPN, to improve security. However, some users on Reddit question the company’s explanation, citing breaches on accounts created after migrating to Gen 7 firewalls and claiming SonicWall refused to review their logs.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, zero-day)
