SonicWall has warned its customers to disable SSL VPN because in recent weeks, ransomware attackers have been exploiting a potential vulnerability in SonicWall’s 7th generation firewalls.
Last week, experts from Arctic Wolf reported that since July 15, 2025, they have recorded several attacks involving the Akira ransomware and suggested that criminals might be exploiting a 0-day vulnerability in SonicWall products during these attacks.
“The methods used to gain initial access during this campaign have not yet been confirmed,” the researchers wrote. “While the existence of a zero-day vulnerability is quite likely, gaining access through brute force, dictionary attacks, and credential stuffing cannot be ruled out in all cases.”
Experts have recommended that administrators temporarily disable SonicWall SSL VPN services due to the high likelihood that a vulnerability related to them is being exploited in attacks.
Later, experts from Huntress confirmed their colleagues’ findings and published their own report, containing indicators of compromise gathered during the investigation of this campaign.
“A potential zero-day vulnerability in SonicWall’s VPN services is actively exploited to bypass multi-factor authentication and deploy ransomware,” warns Huntress.
Experts also recommended immediately disabling the VPN service or seriously restricting access using an approved IP address list.
“We have observed that attackers move to directly target domain controllers within a few hours after the initial breach,” warned Huntress.
On the same day, SonicWall representatives confirmed that the company is already aware of these attacks. The manufacturer released a security bulletin urging clients to secure their firewalls from ongoing attacks as follows:
- disable SSL VPN services when possible;
- restrict SSL VPN connections to trusted IP addresses;
- enable protection, including botnet protection and IP address geo-filtering, to detect and block known threats;
- use multi-factor authentication for all remote access scenarios to minimize credential abuse risks;
- remove unused accounts.
“In the past 72 hours, there has been a noticeable increase in both internal and external reports of cyber incidents related to 7th generation SonicWall firewalls with SSL VPN enabled,” the company stated. “We are thoroughly investigating these incidents to determine whether they are linked to any previously discovered vulnerability or if the cause could be a new vulnerability. Please remain vigilant and immediately apply the aforementioned measures to mitigate risks while we continue our investigation.”