SonicWall has warned customers to disable SSLVPN services due to ransomware gangs potentially exploiting an unknown security vulnerability in SonicWall Gen 7 firewalls to breach networks over the past few weeks.
The warning comes after Arctic Wolf Labs reported on Friday that it had observed multiple Akira ransomware attacks, likely using a SonicWall zero-day vulnerability, since July 15th.
“The initial access methods have not yet been confirmed in this campaign,” the Arctic Wolf Labs researchers said. “While the existence of a zero-day vulnerability is highly plausible, credential access through brute force, dictionary attacks, and credential stuffing have not yet been definitively ruled out in all cases.”
Arctic Wolf also advised SonicWall administrators on Friday to temporarily disable SonicWall SSL VPN services due to the strong possibility that a SonicWall zero-day vulnerability was being exploited in these attacks.
Cybersecurity company Huntress has also confirmed Arctic Wolf’s findings on Monday and published a report providing indicators of compromise (IOCs) collected while investigating this campaign.
“A likely zero-day vulnerability in SonicWall VPNs is being actively exploited to bypass MFA and deploy ransomware,” Huntress warned. “Huntress advises disabling the VPN service immediately or severely restricting access via IP allow-listing. We’re seeing threat actors pivot directly to domain controllers within hours of the initial breach.”
The same day, SonicWall confirmed it is aware of this campaign and published an advisory urging customers to secure their firewalls against ongoing attacks by:
- Disabling SSL VPN services whenever possible,
- Limiting SSL VPN connectivity to trusted source IP addresses,
- Enabling security services such as Botnet Protection and Geo-IP Filtering to identify and block known threat actors targeting SSL VPN endpoints,
- Enforcing Multi-Factor Authentication (MFA) for all remote access to minimize the risk of credential abuse,
- Removing unused accounts.
“Over the past 72 hours, there has been a notable increase in both internally and externally reported cyber incidents involving Gen 7 SonicWall firewalls where SSLVPN is enabled,” the company said.
“We are actively investigating these incidents to determine whether they are connected to a previously disclosed vulnerability or if a new vulnerability may be responsible. Please remain vigilant and apply the above mitigations immediately to reduce exposure while we continue our investigation.”
Two weeks ago, SonicWall also warned admins to patch their SMA 100 appliances against a critical security vulnerability (CVE-2025-40599) that may be exploited to gain remote code execution on unpatched devices.
Although attackers would require admin privileges to exploit CVE-2025-40599, and there is currently no evidence of active exploitation of this vulnerability, the company still urged customers to secure their SMA 100 appliances, as these devices are already being targeted in attacks that use compromised credentials to deploy the new OVERSTEP rootkit malware.
Malware targeting password stores surged 3X as attackers executed stealthy Perfect Heist scenarios, infiltrating and exploiting critical systems.
Discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
