Attackers are exploiting a likely zero day vulnerability in some versions of SonicWall Firewall devices with the SSL VPN functionality enabled, and in some cases are able to bypass MFA protections. The intrusions have been ongoing since at least the end of last week, and researchers have observed some attackers deploying the Akira ransomware after […]
Attackers are exploiting a likely zero day vulnerability in some versions of SonicWall Firewall devices with the SSL VPN functionality enabled, and in some cases are able to bypass MFA protections.
The intrusions have been ongoing since at least the end of last week, and researchers have observed some attackers deploying the Akira ransomware after the initial compromise. SonicWall is recommending that customers disable the SSL VPN feature in affected devices, which are the Gen 7 firewalls.
Researchers at Arctic Wolf, Huntress, and several other threat intelligence groups have observed the intrusions targeting SonicWall devices in the past few days, and while there may be other tactics involved in the attacks, the targeting of a zero day is quite likely, they say.
“In late July 2025, Arctic Wolf observed an increase in ransomware activity targeting SonicWall firewall devices for initial access. In the intrusions reviewed, multiple pre-ransomware intrusions were observed within a short period of time, each involving VPN access through SonicWall SSL VPNs,” said Julian Tuin of Arctic Wolf.
“While credential access through brute force, dictionary attacks, and credential stuffing have not yet been definitively ruled out in all cases, available evidence points to the existence of a zero-day vulnerability. In some instances, fully patched SonicWall devices were affected following credential rotation. Despite TOTP MFA being enabled, accounts were still compromised in some instances.”
"We are actively investigating these incidents to determine whether they are connected to a previously disclosed vulnerability or if a new vulnerability may be responsible,"
What’s Going On
“We’ve currently had around 20 different attacks that are directly related to this particular set of events, with the first of these starting on July 25. Of these attacks, there are some similarities, but also some differences in how each attacker operated. It is apparent that some of these attackers have at least part of the same playbook, or that they are adaptive to whatever situations they happen to encounter,” the Huntress researchers said.
For organizations running vulnerable versions of the firewall firmware, SonicWall advises turning off the SSL VPN feature or limiting connection to known, trusted IP addresses.
“We are actively investigating these incidents to determine whether they are connected to a previously disclosed vulnerability or if a new vulnerability may be responsible,” SonicWall said.
Note: Cisco and Duo are no longer affiliated with Decipher. All opinions and content provided here from April 11 are solely that of Decipher and do not reflect opinions or content of Cisco Systems, Inc. or any of its affiliates.
