SonicWall Investigates Potential Zero-Day Vulnerability
SonicWall has announced its ongoing investigation into reports suggesting a new zero-day vulnerability following a noticeable increase in Akira ransomware activity in late July 2025. Security experts have raised alarms about this recent spike, prompting a closer look at the security of Gen 7 SonicWall firewalls, particularly those with SSL VPN enabled.
Notable Increase in Cyber Incidents
In a statement, SonicWall acknowledged, “Over the past 72 hours, there has been a notable increase in both internally and externally reported cyber incidents involving Gen 7 SonicWall firewalls where SSLVPN is enabled.” This situation has led the company to explore whether these incidents are linked to an existing vulnerability or if they stem from a newly discovered one.
Recommendations for Organizations
While investigations are underway, SonicWall has provided several recommendations for organizations that utilize Gen 7 firewalls:
- Disable SSL VPN services wherever feasible.
- Restrict SSL VPN connectivity to trusted IP addresses only.
- Turn on protective features like Botnet Protection and Geo-IP Filtering.
- Implement multi-factor authentication to enhance security measures.
- Remove inactive local user accounts that have SSL VPN access.
- Encourage regular password updates across all accounts for added security.
Surge in Akira Ransomware Activity
The urgency of SonicWall’s investigation follows reports from Arctic Wolf, which noted an uptick in Akira ransomware targeting devices that utilize SonicWall’s SSL VPN for initial access since the latter part of July. Cybersecurity firm Huntress corroborated this information with further analysis, indicating a trend where cyber attackers move swiftly to compromise domain controllers just hours after the initial breach.
Tactics of the Attackers
The attack sequences typically begin with the exploitation of the SonicWall appliance. Following that, cybercriminals employ a method known for its efficiency, focusing on enumeration, evading detection, lateral movement, and credential theft. Reports indicate that these incidents involved attackers systematically disabling Microsoft Defender Antivirus and removing volume shadow copies before unleashing the Akira ransomware.
High Volume of Detected Attacks
Huntress has observed around 20 distinct attacks linked to this recent surge starting on July 25, 2025. Each attack varies in its execution tactics, including differences in reconnaissance and persistence tools employed, such as AnyDesk, ScreenConnect, or SSH.
Affected Versions and Firmware
Evidence points to the possibility that the vulnerability is contained to TZ and NSa-series SonicWall firewalls with SSL VPN functionality enabled. The suspected flaw appears to affect firmware versions 7.2.0-7015 and older.
Implications of Zero-Day Vulnerability
Huntress has raised concerns about the implications of this potential zero-day vulnerability, noting, “The speed and success of these attacks, even against environments with MFA enabled, strongly suggest a zero-day vulnerability is being exploited in the wild.” This situation poses a critical ongoing threat to organizations relying on SonicWall’s security solutions.
As the investigation continues, organizations are urged to take these initial precautionary steps to safeguard their networks against this emerging threat.
