SonicWall has issued a critical advisory for network administrators to immediately disable SSLVPN services on Gen 7 firewall and Secure Mobile Access (SMA) devices due to an unprecedented wave of targeted cyberattacks, including high-profile ransomware exploits.
Surge in Attacks Linked to Unpatched Vulnerability
Since mid-July 2025, SonicWall devices globally have come under increasing attack, with cybercriminals—most notably the Akira ransomware group—exploiting what is suspected to be a zero-day vulnerability in the SSLVPN feature. This vulnerability enables attackers to bypass even advanced security measures, such as multi-factor authentication (MFA), and gain privileged access to network environments running the most recent firmware versions.
Attackers Bypassing MFA and Security Tools
Security monitoring firms have reported that these sophisticated threat actors are able to compromise accounts despite MFA protections. Once inside a network, attackers quickly escalate privileges, establish persistence using covert tools (such as Cloudflared tunnels and OpenSSH), and systematically dismantle defenses by disabling security software and backup solutions. This approach is designed to maximize the impact of ransomware deployment by neutralizing any opportunity for rapid recovery or containment.
Immediate Recommendations from SonicWall
SonicWall, in close coordination with leading cybersecurity experts, strongly advises the following immediate actions:
- Disable SSLVPN: Administrators should, wherever possible, disable the SSLVPN service on all Gen 7 firewalls and SMA appliances.
- Restrict Access: If maintaining SSLVPN functionality is business-critical, restrict access with strict IP allow-lists and enable comprehensive security settings, including botnet and geo-IP filtering.
- Audit Privileges: Conduct rigorous audits of user and service accounts to ensure only necessary privileges are assigned, removing any unused or unnecessary accounts.
- Monitor Logs: Increase monitoring for suspicious activity, particularly related to VPN usage, authentication attempts, and configuration changes.
SonicWall emphasizes that conventional safeguards—including multi-factor authentication—may not be sufficient against this current threat and that disabling SSLVPN is the most effective interim measure.
Ongoing Investigation and Next Steps
Cybersecurity firms such as Huntress, Arctic Wolf, and Google’s Mandiant unit are deeply involved in investigating the root cause of this exploitation. Evidence points to attacks targeting all devices running firmware version 7.2.0-7015 and earlier.
