SonicWall, a prominent network security provider, is currently investigating reports of a potential zero-day vulnerability in its SSL VPN products. This inquiry follows a significant increase in cyber incidents involving Gen 7 SonicWall firewalls with SSL VPN enabled, particularly linked to the Akira ransomware group.
Over the past 72 hours, SonicWall has observed a notable uptick in both internally and externally reported cyber incidents affecting their Gen 7 firewalls. The company is actively working to determine whether these incidents are connected to a previously disclosed vulnerability or if a new, unidentified flaw is at play.
In response to these developments, SonicWall has issued interim security recommendations for organizations utilizing Gen 7 firewalls:
– Disable SSL VPN Services: Where feasible, organizations should disable SSL VPN services to mitigate potential risks.
– Restrict SSL VPN Access: Limit SSL VPN connectivity to trusted IP addresses to reduce exposure.
– Activate Security Features: Enable services such as Botnet Protection and Geo-IP Filtering to enhance defense mechanisms.
– Enforce Multi-Factor Authentication (MFA): Implement MFA to add an additional layer of security for user accounts.
– Manage User Accounts: Remove inactive or unused local user accounts on the firewall, especially those with SSL VPN access.
– Regular Password Updates: Encourage frequent password changes across all user accounts to maintain security integrity.
These recommendations aim to bolster defenses while the investigation is ongoing.
The Akira ransomware group has been identified as a primary actor exploiting SonicWall SSL VPN devices for initial access. Since late July 2025, there has been a surge in Akira ransomware activity targeting these devices. Notably, some of the compromised endpoints were fully updated, leading researchers to suspect the use of a previously unknown vulnerability, although the misuse of stolen credentials has not been ruled out. ([techradar.com](https://www.techradar.com/pro/security/sonicwall-vpns-are-being-targeted-by-a-new-zero-day-in-ransomware-attacks?utm_source=openai))
Huntress, a cybersecurity firm, has observed that attackers are pivoting directly to domain controllers within hours of the initial breach. The attack sequence typically begins with the compromise of the SonicWall appliance, followed by enumeration, detection evasion, lateral movement, and credential theft. Attackers have been observed conducting rapid post-login activity to move laterally, establish persistence, and deploy Akira ransomware. ([digitalxraid.com](https://www.digitalxraid.com/akira-exploiting-sonicwall-vpn-zero-day/?utm_source=openai))
The incidents also involve the systematic disabling of Microsoft Defender Antivirus and deletion of volume shadow copies prior to deploying Akira ransomware. Huntress has detected approximately 20 different attacks associated with this wave, starting on July 25, 2025. Variations in the attackers’ methods have been noted, including the use of tools like AnyDesk, ScreenConnect, or SSH for reconnaissance and persistence. ([thehackernews.com](https://thehackernews.com/2025/08/sonicwall-investigating-potential-ssl.html?utm_source=openai))
Evidence suggests that the activity may be limited to TZ and NSa-series SonicWall firewalls with SSL VPN enabled, and that the suspected flaw exists in firmware versions 7.2.0-7015 and earlier. The speed and success of these attacks, even against environments with MFA enabled, strongly suggest a zero-day vulnerability is being exploited in the wild. ([thehackernews.com](https://thehackernews.com/2025/08/sonicwall-investigating-potential-ssl.html?utm_source=openai))
The Akira ransomware group, active since March 2023, targets both Windows and Linux systems. They are known for dismantling backups to hinder recovery efforts. As of mid-2025, Akira has been responsible for attacks on hundreds of organizations globally, including Stanford University and Nissan Australia. The group typically directs its victims to contact them via a Tor-based website. ([techradar.com](https://www.techradar.com/pro/security/sonicwall-vpns-are-being-targeted-by-a-new-zero-day-in-ransomware-attacks?utm_source=openai))
In light of these developments, organizations using SonicWall VPNs are advised to immediately implement multi-factor authentication, delete unused accounts, and update passwords. The FBI and CISA are currently monitoring the situation, highlighting the severity of the threat. ([techradar.com](https://www.techradar.com/pro/security/sonicwall-vpns-are-being-targeted-by-a-new-zero-day-in-ransomware-attacks?utm_source=openai))
SonicWall has stated that if a new vulnerability is confirmed, they will release updated firmware and guidance as quickly as possible. In the meantime, organizations are urged to follow the recommended security measures to mitigate potential risks.
