SonicWall Dismisses Zero-Day Fears After Ransomware Probe
SonicWall, a leading provider of network security solutions, has dismissed concerns over the existence of a zero-day vulnerability in its products following an investigation into recent ransomware attacks.
The company launched the investigation after reports emerged of a zero-day being used in Akira ransomware attacks targeting Gen 7 firewalls with SSLVPN enabled. SonicWall worked to determine whether the incidents were connected to an existing flaw or a newly discovered vulnerability.
"Over the past 72 hours, there has been a notable increase in both internally and externally reported cyber incidents involving Gen 7 SonicWall firewalls where SSLVPN is enabled," reads the statement published by the vendor. "We are actively investigating these incidents to determine whether they are connected to a previously disclosed vulnerability or if a new vulnerability may be responsible."
Arctic Wolf Labs researchers were among those to report that Akira ransomware was exploiting SonicWall SSL VPNs in a likely zero-day attack, targeting even fully patched devices. The researchers observed multiple intrusions via VPN access in late July 2025 and found evidence of a likely zero-day vulnerability.
"While credential access through brute force, dictionary attacks, and credential stuffing have not yet been definitively ruled out in all cases, available evidence points to the existence of a zero-day vulnerability," reads the report published by Arctic Wolf Labs. "In some instances, fully patched SonicWall devices were affected following credential rotation. Despite TOTP MFA being enabled, accounts were still compromised in some instances."
Ransomware activity targeting SonicWall SSL VPNs surged from July 15, 2025, with similar cases dating back to October 2024. Attackers often used VPS hosting for VPN logins, unlike legitimate access from ISPs.
Arctic Wolf observed short delays between access and encryption and is applying its own recommended defenses internally. The researchers recommend that organizations consider disabling the SonicWall SSL VPN service until a patch is made available and deployed.
Cybersecurity firm Huntress detected about 20 attacks since July 25, 2025, using tools like AnyDesk, ScreenConnect, and SSH. The activity appears limited to TZ and NSa-series SonicWall firewalls with SSLVPN enabled, likely exploiting a flaw in firmware versions 7.2.0-7015 and earlier.
SonicWall advises enabling security services like Botnet Protection, enforcing MFA for all remote access, and removing unused firewall accounts. The experts recommend regular password updates to limit exposure to malicious VPN logins.
No Zero-Day Involvement Confirmed
SonicWall has now confirmed that there is no zero-day involved in recent ransomware attacks, but rather the exploitation of a known flaw, CVE-2024-40766. This vulnerability, disclosed in September 2024, was used by threat actors to steal device credentials.
"We now have high confidence that the recent SSLVPN activity is not connected to a zero-day vulnerability," reads the advisory published by the security vendor. "Instead, there is a significant correlation with threat activity related to CVE-2024-40766, which was previously disclosed and documented in our public advisory SNWLID-2024-0015."
The vendor advises updating to firmware 7.3.0+ and resetting all local passwords, especially for SSLVPN, to improve security.
What Can Organizations Do?
To limit exposure to malicious VPN logins, organizations should consider blocking VPN authentication from hosting-related ASNs, though full blocking could disrupt operations.
These steps aim to reduce risk while SonicWall continues its investigation. Recommended actions include disabling SSLVPN where possible, restricting access to trusted IPs, enabling security services like Botnet Protection and Geo-IP Filtering, enforcing MFA (though it may not fully prevent the threat), removing unused accounts, especially those with SSLVPN access, and maintaining strong password practices.
SonicWall urges Gen 7 firewall users to immediately apply key mitigations amid an ongoing investigation. By taking these steps, organizations can improve their security posture and reduce the risk of further attacks.