SonicWall warns admins: Disable SSLVPN now to stop attacks
▼ Summary
– SonicWall warns customers to disable SSLVPN services due to potential exploitation of an unknown vulnerability in Gen 7 firewalls by ransomware gangs.
– Arctic Wolf Labs observed Akira ransomware attacks since July 15th, possibly exploiting a SonicWall zero-day, though initial access methods remain unconfirmed.
– Huntress confirmed the attacks, noting threat actors bypass MFA and pivot to domain controllers quickly, advising immediate VPN service disablement or IP restrictions.
– SonicWall recommends mitigations like disabling SSLVPN, limiting trusted IPs, enabling security services, enforcing MFA, and removing unused accounts while investigating.
– SonicWall previously warned admins to patch SMA 100 appliances against CVE-2025-40599, though no active exploitation is confirmed, as compromised credentials deploy OVERSTEP rootkit malware.
SonicWall has issued an urgent alert urging administrators to disable SSLVPN services immediately following reports of potential zero-day exploits targeting its Gen 7 firewalls. Security researchers have observed a surge in ransomware attacks linked to these vulnerabilities, with threat actors bypassing multi-factor authentication to infiltrate networks.
Arctic Wolf Labs first flagged the issue after detecting multiple Akira ransomware incidents since mid-July. While the exact method of initial access remains unconfirmed, experts suspect attackers may be leveraging an unpatched flaw in SonicWall’s SSL VPN technology. Brute force attacks and credential stuffing haven’t been ruled out, but evidence strongly points to a zero-day vulnerability being actively exploited.
Huntress, another cybersecurity firm, corroborated these findings, warning that compromised networks often see rapid escalation to domain controllers within hours. The company shared indicators of compromise (IOCs) to help organizations identify potential breaches. Their recommendation aligns with Arctic Wolf’s: disable SSLVPN services or restrict access through IP allow-listing to mitigate risks.
In response, SonicWall released an advisory confirming the spike in attacks targeting Gen 7 firewalls with SSLVPN enabled. While investigations continue to determine whether a new vulnerability exists or if attackers are abusing known flaws, the company outlined critical steps for protection:
Disable SSLVPN where possible
The advisory emphasized that these measures are temporary but necessary while SonicWall works on a permanent fix. This isn’t the first time the company has sounded the alarm, just weeks earlier, it warned admins to patch SMA 100 appliances against CVE-2025-40599, a critical flaw allowing remote code execution. Though exploitation requires admin privileges, threat actors have already targeted these devices using stolen credentials to deploy the OVERSTEP rootkit.
With ransomware groups increasingly exploiting VPN vulnerabilities, organizations must act swiftly to secure remote access points. Proactive measures like MFA and IP restrictions can significantly reduce exposure while vendors investigate and resolve emerging threats.
(Source: Bleeping Computer)
