[German]Someone among the blog readership who relies on SonicWall. There have been reports for days that attacks on SonicWall firewalls are being observed. It seems to relate to the SSL VPN function of the Gen 7 SonicWall firewalls. It is unclear whether an unknown vulnerability is being exploited.
Advertising
An old message about the SonicWall SMA 100
I didn't have it in the blog, but the Mandiant warning from the following tweet came to me as early as mid-July 2025.
A financially motivated threat actor named UNC6148 is attacking fully patched but out-of-support SonicWall SMA 100 appliances. A new, persistent backdoor (OVERSTEP) is being installed. Details can be found in the article Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor.
Artic Wolf warns of attacks on SonicWall SSL VPNs
In the meantime, a reader has also sent me an email with the subject line Gen 7 SonicWall Firewalls – SSLVPN Recent Threat Activity to point out another warning. Security provider Artic Wolf issued a warning on August 1, 2025 in the article Arctic Wolf Observes July 2025 Uptick in Akira Ransomware Activity Targeting SonicWall SSL VPN – Copy.
Arctic Wolf has observed an increase in ransomware activity (called Akira) targeting SonicWall firewall devices as the first point of entry since late July 2025. In the investigated attacks, several incidents were observed within a short period of time, where successful attacks with access via SonicWall SSL VPNs to the VPN took place before the use of ransomware. The short period of time between access to SonicWall SSL VPNs and encryption by the ransomware was also mentioned here.
Advertising
At present, it is not yet possible to definitively rule out access to SonicWall SSL VPN login data through brute force attacks, dictionary attacks and credential stuffing in all cases. However, Artic Wolf writes that the available evidence points to the existence of a zero-day vulnerability.
In some cases, fully patched SonicWall devices were affected after a change in credentials. Despite TOTP MFA being enabled, accounts were still compromised in some cases. Arctic Wolf Labs is currently investigating this campaign and will provide more details as they become available.
Recommendation to disable SonicWall SSL VPNs
Artic Wolf recommends that organizations consider disabling the SonicWall SSL VPN service until a patch is available and deployed, given the high likelihood of a zero-day vulnerability.
Further warning, statement from SonicWall
There was also this warning from Huntress that SonicWall VPNs are being actively attacked. In this tweet, they report attacks. SonicWall has since released this statement saying that it is not a 0-day exploit being used for attacks.
Instead, there is a significant link to threat activity related to CVE-2024-40766, which has already been disclosed and documented in SNWLID-2024-001.
Many of the incidents (less than 40) currently being investigated in connection with this cyber activity are related to the migration from Generation 6 to Generation 7 firewalls, where local user passwords were carried over during the migration and not reset, the vendor writes. Resetting passwords was an important step described in the original recommendation.
SonicOS 7.3 offers additional protection against brute force password and MFA attacks, according to SonicWall. Without these additional protections, brute force attacks on passwords and MFA are easier to carry out. The manufacturer recommends updating the affected SonicWall firewall appliances and resetting the passwords.
Advertising
