SonicWall on Monday confirmed that it’s investigating a rash of ransomware activity targeting its firewall devices, following multiple reports of a zero-day bug under active exploit in its VPNs.
“SonicWall is actively investigating a recent increase in reported cyber incidents involving a number of Gen 7 firewalls running various firmware versions with SSL VPN enabled,” a company spokesperson told The Register.
“These cases have been flagged both internally and by third-party threat research teams, including Arctic Wolf, Google Mandiant, and Huntress,” the spokesperson continued. “We are working closely with these organizations to determine whether the activity is tied to a previously disclosed vulnerability or represents a zero-day vulnerability.”
While the firewall vendor has yet to confirm a new bug, if and when it does spot a security flaw, SonicWall promised to release updated firmware and guidance “as quickly as possible.”
In the meantime, the vendor urged customers using Gen 7 firewalls to disable SSL VPN services “where practical,” and take the following steps to mitigate any potential intrusions:
- Limit SSL VPN connectivity to trusted source IPs.
- Ensure Security Services such as botnet protection and geo-IP filters are enabled.
- Remove unused or inactive firewall user accounts.
- Promote strong password hygiene.
- Enforce multi-factor authentication (MFA) for all remote access.
However, the vendor did warn that MFA enforcement alone may not protect against the ransomware activity under investigation.
Considering that all manner of miscreants, from Chinese government cyberspies to ransomware and extortion gangs, have made a hobby of hijacking SonicWall VPNs in the past, we’d suggest implementing these mitigation measures ASAP, while keeping an eye out for any upcoming vulnerability disclosures and subsequent patches.
SonicWall’s admission follows other security shops’ alerts about ransomware gangs exploiting a likely zero-day in SonicWall VPNs to bypass MFA and deploy ransomware.
Huntress, in a Monday advisory, said that its Security Operations Center has been responding over the last few days to “a wave of high-severity incidents originating from SonicWall Secure Mobile Access (SMA) and firewall appliances.”
The speed and success of these attacks, even against environments with MFA enabled, strongly suggest a zero-day vulnerability is being exploited in the wild
The attackers are pivoting directly from the buggy devices straight to domain controllers within hours of the initial breach, and post-exploit activity includes stealing credentials, disabling security tools, and deploying ransomware. Huntress said the culprit likely deployed Akira ransomware. It’s worth noting that Akira ransomware affiliates also abused a critical SonicWall bug last year.”
“The speed and success of these attacks, even against environments with MFA enabled, strongly suggest a zero-day vulnerability is being exploited in the wild,” the threat intel team wrote.
This echoes a similar warning from fellow security operations firm Arctic Wolf on Friday, which noted an uptick in ransomware activity involving SonicWall SSL VPNs beginning July 15, despite MFA being enabled.
Arctic Wolf also pointed its finger at Akira, which was one of the FBI’s five most reported ransomware variants targeting critical infrastructure last year.
“While credential access through brute force, dictionary attacks, and credential stuffing have not yet been definitively ruled out in all cases, available evidence points to the existence of a zero-day vulnerability,” Arctic Wolf senior threat intelligence researcher Julian Tuin wrote. “In some instances, fully patched SonicWall devices were affected following credential rotation.”
Tuin also suggested disabling the SonicWall SSL VPN service until a patch is made available, considering “the high likelihood of a zero-day vulnerability.”
Plus, on July 16 — one day after Arctic Wolf spotted the surge in ransomware activity targeting SonicWall devices — Google warned that unknown criminals were seen exploiting fully patched, end-of-life SonicWall VPNs to deploy a previously unknown backdoor and rootkit, likely for data theft and extortion.
At the time, Google said it was possible that the digital intruders were exploiting known vulnerabilities to deploy the OVERSTEP backdoor.
Or they may have used a zero-day: “GTIG assesses with moderate confidence that UNC6148 may have used an unknown, zero-day remote code execution vulnerability to deploy OVERSTEP on targeted SonicWall SMA appliances,” the threat hunters opined.
It’s unclear how many orgs have been victimized so far.
“This is an active campaign, and as of now, it’s too early to determine the size and scope,” Arctic Wolf Labs told El Reg. “We hope to share more details in the coming days as our investigation develops.”
If this latest rash of SonicWall hijacking turns out to be a zero-day, it will be SonicWall’s second so far this year.
In January, the firewall firm warned customers that CVE-2025-23006, a critical bug in its SMA 1000 product, could allow a remote, unauthenticated attacker to execute arbitrary OS commands — and, by the way, it was likely exploited before a patch was issued.
A month later, Arctic Wolf said miscreants were actively abusing a high-severity authentication bypass bug tracked as CVE-2024-53704 in the SSL VPN authentication mechanism in SonicOS. While this one wasn’t exploited as a zero-day, criminals made quick work of this security flaw after a proof-of-concept exploit code was made public. ®
