SonicWall has warned its customers to disable SSL VPN because in recent weeks, ransomware attackers have been exploiting a potential vulnerability in SonicWall’s 7th generation firewalls.
Last week, experts from Arctic Wolf reported that since July 15, 2025, they have recorded several attacks involving the Akira ransomware and suggested that criminals might be exploiting a 0-day vulnerability in SonicWall products during these attacks.
“The methods used to gain initial access during this campaign have not yet been confirmed,” the researchers wrote. “While the existence of a zero-day vulnerability is quite likely, gaining access through brute force, dictionary attacks, and credential stuffing cannot be ruled out in all cases.”
Experts have recommended that administrators temporarily disable SonicWall SSL VPN services due to the high likelihood that a vulnerability related to them is being exploited in attacks.
Later, experts from Huntress confirmed their colleagues’ findings and published their own report, containing indicators of compromise gathered during the investigation of this campaign.
“A potential zero-day vulnerability in SonicWall’s VPN services is actively exploited to bypass multi-factor authentication and deploy ransomware,” warns Huntress.
Experts also recommended immediately disabling the VPN service or seriously restricting access using an approved IP address list.
“We have observed that attackers move to directly target domain controllers within a few hours after the initial breach,” warned Huntress.
On the same day, SonicWall representatives confirmed that the company is already aware of these attacks. The manufacturer released a security bulletin urging clients to secure their firewalls from ongoing attacks as follows:
- disable SSL VPN services when possible;
- restrict SSL VPN connections to trusted IP addresses;
- enable protection, including botnet protection and IP address geo-filtering, to detect and block known threats;
- use multi-factor authentication for all remote access scenarios to minimize credential abuse risks;
- remove unused accounts.
“In the past 72 hours, there has been a noticeable increase in both internal and external reports of cyber incidents related to 7th generation SonicWall firewalls with SSL VPN enabled,” the company stated. “We are thoroughly investigating these incidents to determine whether they are linked to any previously discovered vulnerability or if the cause could be a new vulnerability. Please remain vigilant and immediately apply the aforementioned measures to mitigate risks while we continue our investigation.”
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members
The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…
Full article →
2025.02.05 — Google patches Android zero-day vulnerability exploited by hackers
Google released the February set of patches for Android. In total, they fix 48 bugs, including a kernel zero-day vulnerability actively exploited by hackers. The zero-day's…
Full article →
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched
Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…
Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals
Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer
Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…
Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains
watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…
Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails
The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…
Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks
Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…
Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024
According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…
Full article →