SonicWall has issued an urgent security warning following a dramatic surge in cyberattacks targeting Gen 7 firewalls with SSL VPN enabled over the past 72 hours.
The company is actively investigating whether these incidents stem from a previously disclosed vulnerability or represent an entirely new zero-day exploit being weaponized by ransomware operators.
Security researchers from Arctic Wolf, Google Mandiant, and Huntress have identified a concerning pattern of attacks beginning July 15, 2025, with activity significantly intensifying in recent days.
The speed and success of these intrusions, even against environments with multi-factor authentication enabled and fully patched devices, strongly suggests the existence of an unknown zero-day vulnerability.
Arctic Wolf Labs reported observing “multiple pre-ransomware intrusions within a short period of time, each involving VPN access through SonicWall SSL VPNs”.
Particularly alarming is evidence that fully patched SonicWall devices were compromised even after credential rotation and with time-based one-time password (TOTP) MFA enabled.
The cybersecurity firm has documented at least 20 separate attacks between July 25 and August 3, 2025, with variations in tradecraft but consistent attack patterns.
The evidence points to TZ and NSa-series SonicWall firewalls running firmware versions 7.2.0-7015 and earlier being particularly vulnerable.
In contrast with legitimate VPN logins that typically originate from broadband internet service providers, these attacks consistently use Virtual Private Server hosting for VPN authentication, a hallmark of ransomware operations.
SonicWall Gen 7 Firewalls
The primary threat actor behind this campaign appears to be the Akira ransomware group, which has established a pattern of rapid post-exploitation activity.
Huntress researchers documented threat actors pivoting directly to domain controllers within hours of initial breach, following a well-established attack chain.
The typical attack sequence begins with compromise of the SonicWall appliance, followed by immediate abuse of privileged accounts such as over-privileged LDAP or service accounts used by the SonicWall device itself.
Attackers then establish persistent command and control through Cloudflared tunnels and OpenSSH, often staged from C:\ProgramData directories.
For lateral movement and credential theft, threat actors employ Windows Management Instrumentation (WMI) and PowerShell Remoting to traverse networks.
Security researchers have captured evidence of scripts designed to dump and decrypt credentials from Veeam Backup databases, as well as use of wbadmin.exe to backup Active Directory databases for offline cracking.
Before deploying ransomware, attackers methodically disable security tools using built-in Windows utilities like Set-MpPreference to neutralize Microsoft Defender and netsh.exe to disable firewalls.
Security Recommendations
SonicWall has issued emergency mitigation guidance for all partners and customers using Gen 7 firewalls.
The company strongly recommends disabling SSL VPN services where practical, noting that all other security measures should still be implemented even if disabling SSL VPN is not viable.
For organizations unable to completely disable SSL VPN functionality, SonicWall advises limiting SSL VPN connectivity to trusted source IP addresses only.
Additional protective measures include activating security services such as Botnet Protection and Geo-IP Filtering, which help detect and block known threat actors targeting SSL VPN endpoints.
The company emphasizes enforcing multi-factor authentication for all remote access, though warns that some reports suggest MFA enforcement alone may not protect against the activity under investigation.
Organizations should also remove any inactive or unused local user accounts on firewalls, paying special attention to those with SSL VPN access, and encourage regular password updates across all user accounts.
SonicWall continues working closely with external threat research partners and has committed to releasing updated firmware and instructions promptly if a new vulnerability is confirmed. The company will continue updating its knowledge base as additional information becomes available.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
