Cyber infiltrations under probe by SonicWall, involving ransomware potentially exploiting unidentified vulnerabilities (0-day)
In recent times, SonicWall has issued a warning to its customers using Gen 7 firewalls, urging them to take immediate action to secure their systems against a surge in ransomware attacks targeting their SSL VPN services.
Recent Attacks and Symptoms
The attacks, involving the Akira ransomware, have been suspected to exploit a zero-day vulnerability since mid-July 2025. However, SonicWall has since stated with "high confidence" that the current attacks are linked to a known, patched vulnerability (CVE-2024-40766) rather than a zero-day vulnerability.
The attackers have been targeting SonicWall firewalls through SSL VPN access, often escalating quickly from VPN access to ransomware encryption. Compromised devices, even those with multi-factor authentication enabled, have been reported, with some cases involving brute-force, dictionary, or credential stuffing attacks.
Symptoms of compromise include unexpected VPN account access, suspicious logins from Virtual Private Server IPs, and rapid ransomware deployment following VPN breaches.
Recommended Mitigation Measures
To mitigate the risk posed by these ransomware attacks, SonicWall recommends disabling the SSL VPN service where possible until full clarity and patches are confirmed. It also suggests restricting VPN connectivity to trusted IP addresses only and enabling additional protections such as botnet protection, Geo-IP filtering, and strict multi-factor authentication.
Regular password hygiene is also crucial. This includes removing inactive/local user accounts with VPN access, rotating passwords frequently, and avoiding password reuse, especially during device migrations from Gen 6 to Gen 7 firewalls.
Organizations are advised to monitor VPN logs proactively to detect and block suspicious VPN login attempts, especially those originating from known VPS hosting IP ranges used by attackers. They should also apply all SonicWall patches promptly, including those addressing CVE-2025-40596 through CVE-2025-40599 affecting SMA100 appliances.
While SonicWall continues its investigations, organizations are urged to act swiftly to mitigate the risk. The key is balancing operational VPN needs with security controls and vigilance until full resolution and patching are ensured.
The attacks suggest a zero-day vulnerability may be being exploited in the wild. SonicWall is working closely with various organizations, including Arctic Wolf, Google Mandiant, and Huntress, to determine whether the activity is tied to a previously disclosed vulnerability or represents a zero-day vulnerability. Akira ransomware affiliates have also abused a critical SonicWall bug in the past.
If a new bug is confirmed, SonicWall will release updated firmware and guidance as quickly as possible. Huntress has responded to a wave of high-severity incidents originating from SonicWall Secure Mobile Access (SMA) and firewall appliances.
- SonicWall's warning to Gen 7 firewall users necessitates immediate action to secure the systems, as they are currently under attack by the Akira ransomware, suspected to exploit a known, patched vulnerability (CVE-2024-40766).
- In addition to disabling the SSL VPN service, organizations can enhance security by restricting VPN connectivity to trusted IP addresses, enabling additional protections such as botnet protection and Geo-IP filtering, and implementing strict multi-factor authentication.
- With the potential discovery of a new, yet-unconfirmed zero-day vulnerability, AI-powered threat intelligence and cybersecurity firms like Arctic Wolf, Google Mandiant, and Huntress are working closely with SonicWall to determine the nature of these attacks and provide updates and solutions promptly.
){kind=link}