SonicWall has warned customers to disable SSL VPN services due to ransomware gangs actively exploiting an unknown security vulnerability in SonicWall Generation 7 firewalls to breach networks over the past few weeks. 

This is being reported as a critical and ongoing threat. 

Vulnerability 

Attack chains commence with the breach of the SonicWall appliance, followed by attackers taking a “well-worn” post-exploitation path to conduct enumeration, detection evasion, lateral movement, and credential theft. 

The incidents also involve the bad actors methodically disabling Microsoft Defender Antivirus and deleting volume shadow copies prior to deploying Akira ransomware. 

There is evidence of the use of tools for reconnaissance and persistence, such as AnyDesk, ScreenConnect, or SSH. 

Activity appears to be limited to TZ and NSa-series SonicWall firewalls with SSL VPN enabled, and the suspected flaw exists in firmware versions 7.2.0-7015 and earlier. 

Recommendations

 SonicWall has indicated that it will publish patches and recommendations as soon as possible once clarity has been established. As SonicWall continues to investigate this campaign, organisations using Gen 7 SonicWall firewalls are advised to follow the steps below until further notice: 

• Disable SSL VPN services where practical 

• Limit SSL VPN connectivity to trusted IP addresses 

• Activate services such as Botnet Protection and Geo-IP Filtering 

• Enforce multi-factor authentication (MFA) 

• Remove inactive or unused local user accounts on the firewall, particularly those with SSL VPN access 

• Encourage regular password updates across all user accounts 

If you have a vulnerable device that you believe may be compromised, contact the Integrity360 Incident Response team immediately. 

 Additional Information 

More information on the zero-day vulnerability, released by Huntress, can be found here: 
https://www.huntress.com/blog/exploitation-of-sonicwall-vpn 

Reference 

• https://thehackernews.com/2025/08/sonicwall-investigating-potential-ssl.html 

• https://www.bleepingcomputer.com/news/security/sonicwall-urges-admins-to-disable-sslvpn-amid-rising-attacks/
• https://www.sonicwall.com/support/notices/gen-7-sonicwall-firewalls-sslvpn-recent-threat-activity/250804095336430  
  

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.