SonicWall Investigates 0-Day Vulnerability Amid Surge in Ransomware Attacks

SonicWall has issued an urgent advisory to its customers, warning them to disable SSL VPN services on 7th-generation firewalls amid a wave of ransomware attacks potentially exploiting a zero-day vulnerability.

Key Details

According to Arctic Wolf researchers, multiple attacks involving Akira ransomware have been observed since July 15, 2025. These attacks suggest the exploitation of an unpatched flaw in SonicWall devices.

Huntress Labs confirmed the pattern, reporting that threat actors are bypassing multi-factor authentication (MFA) and deploying ransomware within hours of gaining initial access.

Once inside, attackers escalate privileges, compromise domain controllers, and disable security tools such as Windows Defender and built-in firewalls to maximize impact.

SonicWall’s Emergency Recommendations

In response, SonicWall has issued the following guidance:

• Disable SSL VPN access if possible.
• Restrict VPN access to trusted IP addresses only.
• Enable security features such as botnet protection and Geo-IP filtering.
• Enforce MFA for all remote access accounts.
• Remove inactive accounts to reduce credential abuse risks.

Ongoing Investigation

SonicWall has acknowledged a sharp increase in ransomware incidents targeting Gen 7 firewalls with SSL VPN enabled, but has not yet confirmed whether a zero-day vulnerability is responsible.

Security experts are urging immediate mitigation, as no official patch is currently available. Organizations using affected devices should implement the recommended protections without delay to reduce exposure to ongoing threats.