Article illustration 1

SonicWall has taken the extraordinary step of advising customers to immediately disable SSLVPN services on their Gen 7 firewalls following a surge in ransomware attacks potentially exploiting an unpatched vulnerability. The warning comes after Arctic Wolf Labs and Huntress independently confirmed malicious campaigns targeting SonicWall appliances, with breaches occurring as quickly as hours after initial compromise.

Zero-Day Suspected in Rapid Network Takeovers

According to Arctic Wolf Labs, observed since July 15, Akira ransomware operators appear to be leveraging an unknown vulnerability in SonicWall appliances to bypass security controls. Huntress researchers corroborated these findings, noting:

"A likely zero-day vulnerability in SonicWall VPNs is being actively exploited to bypass MFA and deploy ransomware. We're seeing threat actors pivot directly to domain controllers within hours of the initial breach."

While credential-based attacks haven't been ruled out, the speed and sophistication of the breaches strongly suggest zero-day exploitation. The attacks enable threat actors to completely circumvent multi-factor authentication—a critical enterprise security layer.

SonicWall's Critical Mitigation Steps

In its emergency advisory, SonicWall emphasized these immediate actions for all Gen 7 firewall administrators:
- Disable SSLVPN services where possible
- Restrict SSLVPN access via IP allow-listing to trusted sources
- Enable Botnet Protection and Geo-IP Filtering
- Enforce MFA for all remote access
- Audit and remove unused accounts

The company stated: "Over the past 72 hours, there has been a notable increase in both internally and externally reported cyber incidents involving Gen 7 SonicWall firewalls where SSLVPN is enabled." SonicWall's security teams are actively investigating whether these attacks exploit a known vulnerability or represent a new threat.

Escalating Attack Surface for Critical Infrastructure

This emergency comes just two weeks after SonicWall warned administrators to patch SMA 100 appliances against CVE-2025-40599—a critical flaw enabling remote code execution. While unrelated to the current SSLVPN crisis, it highlights the intensifying targeting of network perimeter devices by ransomware groups. The parallel emergence of the OVERSTEP rootkit malware further demonstrates attackers' focus on compromising foundational security infrastructure.

As organizations await patches or definitive analysis, the universal guidance from SonicWall and cybersecurity responders remains unambiguous: Disable SSLVPN now or enforce aggressive IP restrictions. With ransomware groups demonstrating the capability to compromise domain controllers in a single breach cycle, the window for containment measures is measured in hours—not days.

Source: BleepingComputer (August 5, 2025)