All insights

SonicWall Gen 7 SSLVPN Threat Advisory

Hacker sitting at a laptop with the SonicWall logo on it illustration

What you should know about the ongoing SonicWall SSLVPN attacks

August 6, 20252 min read

Executive Summary

SonicWall is investigating a surge in cyber-incidents targeting Gen 7 firewalls with SSLVPN enabled. Third-party researchers report that threat actors, most notably Akira ransomware affiliates, may be exploiting a zero-day or abusing valid VPN credentials. Exploitation often leads to rapid lateral movement, Defender tampering, shadow-copy deletion, and full-environment encryption within hours.

Action is required immediately. Below we outline SonicWall’s official mitigation steps.


What We Know So Far

  • Spike in attacks: SonicWall observed a notable uptick in incidents over the last 72 hours against Gen 7 devices running various firmware versions with SSLVPN active.
  • Potential zero-day: Some compromised firewalls were fully patched, suggesting an undisclosed vulnerability; credential theft has not been ruled out.
  • Post-exploitation activity: Huntress notes rapid pivot to domain controllers, use of remote-access tools (AnyDesk, ScreenConnect, SSH), and ransomware deployment soon after initial VPN access.
  • Targets & impact: Akira has hit hundreds of organizations worldwide, including higher-education, manufacturing, and healthcare-sectors that frequently rely on SonicWall appliances for edge protection.

Official SonicWall Mitigation Guidance

SonicWall urges all Gen 7 customers to adopt the following controls until further notice:

  1. Disable SSLVPN services where operationally practical.
  2. Restrict SSLVPN access to trusted IP addresses (IP allow-listing).
  3. Enable Security Services
    • Botnet Protection
    • Geo-IP Filtering
  4. Enforce Multi-Factor Authentication (MFA) for all remote access.
  5. Remove unused or inactive local firewall accounts, especially those with SSLVPN rights.
  6. Mandate strong, regularly rotated passwords for every account.

  1. Apply SonicWall’s mitigations immediately, disabling SSLVPN wherever feasible.
  2. Forward SonicWall logs to Meridian Ensure that your SonicWall systems are sending logs to Meridian Security Operations (Syslog or API pull).
  3. Prepare for patching: Monitor SonicWall advisories for firmware updates and schedule maintenance windows.
    • Meridian Vulnerability Management - Customers utilizing Vulnerability Management will be notified immediately once a patch becomes available.
  4. Contact CulperSec SOC for 24/7 monitoring or incident-response assistance.

Conclusion

The SonicWall Gen 7 SSLVPN campaign underscores how perimeter devices can become a primary foothold for ransomware actors. By combining SonicWall’s immediate hardening steps with Meridian’s real-time SIEM analytics and Aegis response, organizations gain the layered defense required to detect and contain these fast-moving intrusions.

Continue reading

More perspectives

View the archive

Put insight to work

Bring the right security expertise to the next decision.

Tell us what your organization is facing. We will help define the practical next step.

Start a conversation