Multiple security researchers are reporting active exploitation of a “likely” zero-day vulnerability affecting SonicWall VPN devices. The devices impacted are SonicWall Gen7 firewalls with SSL VPN enabled. Reported activity after initial exploitation has included privilege escalation, lateral movement, data exfiltration, and the deployment of Akira ransomware.
Breaches have been reported against firewall devices that were fully updated, and even where multi-factor authentication was enabled. Researchers have suggested this may indicate exploitation of an, as of yet, unidentified zero-day vulnerability.
Cybersecurity watchdogs from Arctic Wolf, Google, and Huntress have observed a wave of ransomware attacks that began as early as July 15. To date, roughly 20 organizations have been impacted, and the pace of attacks appears to be rising. Threat researchers and SonicWall are scrambling to determine the root cause.
Charles Carmakal, CTO at Mandiant Consulting, posted on LinkedIn Tuesday that “A financially motivated threat actor is actively compromising victim environments and deploying Akira ransomware…The speed and scale of the compromises suggests a potential zero-day vulnerability in SonicWall Gen 7 firewalls.”
According to Huntress, “This is an active threat that requires immediate attention.”
In a statement to TechRadar Pro, SonicWall said:
“SonicWall is actively investigating a recent increase in reported cyber incidents involving a number of Gen 7 firewalls running various firmware versions with SSLVPN enabled. These cases have been flagged both internally and by third-party threat research teams, including Arctic Wolf, Google Mandiant, and Huntress. We are working closely with these organizations to determine whether the activity is tied to a previously disclosed vulnerability or represents a zero-day vulnerability.
As always, we will communicate openly with our partners and customers as the investigation progresses. If a new vulnerability is confirmed, we will release updated firmware and guidance as quickly as possible.
As a precaution, we strongly urge customers and partners using Gen 7 firewalls to take immediate mitigation steps:
Disable SSLVPN services where practical – the additional mitigations below should be taken in all cases, including where disabling SSLVPN is not practical for the customer
o Limit SSLVPN connectivity to trusted source IPs.
o Ensure Security Services (e.g., Botnet Protection, Geo-IP Filter) are enabled.
o Remove unused or inactive firewall user accounts.
o Promote strong password hygiene.
o Enforce Multi-Factor Authentication (MFA) for all remote access (MFA enforcement alone may not protect against the activity under investigation).”
Attackers appear to be moving swiftly.
According to Huntress, the malicious attackers appear to be moving swiftly, pivoting directly to domain controllers within hours and deploying ransomware after short dwell times. The patterns seem consistent, starting with a breach of the SonicWall appliance itself, followed by a variety of post-exploitation techniques that vary based on the incident. They include techniques linked to enumeration, detection evasion, lateral movement, and credential theft.
In some cases, attackers tried to maintain persistence to some of these machines by adding accounts or enabling or installing remote tools.
What is a Zero-Day Vulnerability?
A zero-day vulnerability is a security flaw in software or hardware that is unknown to the software vendor or developer, and for which they have had “zero days” to create a patch or fix. This means that when the vulnerability is discovered and exploited, the vendor has no prior knowledge or defense against it.
Zero-day vulnerabilities pose a significant security risk because they can be exploited to gain unauthorized access to systems, steal data, or disrupt operations.
Huntress researchers have stated that “the final objective appears to be ransomware”—and that attacker activities have been observed that are intended “to prevent easy recovery right before deploying what we assess to be Akira ransomware.”
What is Akira ransomware?
Akira is a strain of malicious ransomware that first appeared in March 2023, targeting businesses across various sectors. It is known for gaining the initial foothold through compromised VPN credentials and exposed services.
As of mid-2025, Akira has been responsible for attacks on hundreds of organizations globally, claiming around $42 million in extortion payments from March 2023 to January 2024. Victims have included Stanford University and Nissan Australia.
Officials said Akira cybercriminals steal data and encrypt systems before threatening to publish data. According to the FBI, some Akira affiliates have also called victimized companies to apply further pressure. The group targets both Windows and Linux systems, and is known for dismantling backups to hinder recovery.
What’s being done?
Bret Fitzgerald, senior director of global communications at SonicWall, told CyberScoop that an ongoing investigation has yet to determine if the attacks involve a previously disclosed vulnerability or a zero-day. “If a new vulnerability is confirmed, we will release updated firmware and guidance as quickly as possible,”
An investigation into the root cause of the attacks and origins of those responsible is ongoing.
UPDATE: On July 7, SonicWall confirmed that a patched vulnerability is behind the recent VPN attacks, and not a zero-day vulnerability.
SonicWall is stating that the recent malicious activity targeting its Gen 7 and newer firewalls with SSL VPN enabled is related to an older, now-patched bug and password reuse.
“We now have high confidence that the recent SSL VPN activity is not connected to a zero-day vulnerability,” the company said.
“An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and, in specific conditions, causing the firewall to crash.”
SonicWall also updated their guidance for dealing with the situation. They are encouraging users to:
- Update firmware to SonicOS version 7.3.0
- Reset all local user account passwords for any accounts with SSLVPN access, particularly those that were carried over during migration from Gen 6 to Gen 7
- Enable Botnet Protection and Geo-IP Filtering
- Enforce MFA and strong password policies
- Remove unused or inactive user accounts
Cybersecurity company Huntress reported to The Hacker News that it continues to see organizations impacted by threat actors targeting SonicWall Gen 7 firewall appliances. They’re saying a total of at least 28 incidents have been observed from this activity as of August 6, 2025.
For more information protecting your business from cybercriminals, be sure to check out wedoIT at wedoIT.co or call 844-635-5925.