Sonic Wall said it was actively investigating the report to determine whether there are new zero-day vulnerabilities, following an report on Akira ransomware actor Spike in late July 2025.
“Over the past 72 hours, there has been a noticeable increase in both internal and external reported cyber incidents, including the Gen 7 Sonicwall firewall with SSLVPN enabled,” the network security vendor said in a statement.
“We are actively investigating these cases to determine whether they are related to previously disclosed vulnerabilities, or whether new vulnerabilities could be held liable.”
While Sonicwall is digging deeper, organizations using Gen 7 Sonicwall firewalls are encouraged to follow the steps below until further notice –
Disabling SSL VPN Services SSL VPN Connections to trusted IP addresses remove inactive or unused local user accounts on the firewall, such as Botnet Protection and activation services such as GEO-IP Filtering Empiring.
The development comes just after Arctic Wolf revealed that it had identified a surge in Achira ransomware activity targeting SonicWall SSL VPN devices for early access later last month.
Huntress also observed in a follow-up analysis published Monday that he also observed threat actors turning directly to the domain controller hours after the initial violation.
The attack chain starts with a violation of the Sonic Wall Appliance, then robs the attacker’s “worn” exposure pathway to enumerate, avoid detection, lateral movement, and entitlement theft.
The incident also includes bad actors who organize the antivirus of Microsoft Defenders and remove volume shadow copies before deploying Akira ransomware.
Huntress said 20 different attacks have been detected related to the latest attack wave that begins on July 25, 2025. This was observed in variations used to separate them, such as the use of tools for reconnaissance and persistence, or the use of anydesk, screenconnect, or ssh.
This activity may be limited to Sonic Wall Firewalls on TZ and NSA series with SSL VPN enabled, and there is evidence to suggest that suspicious flaws exist before firmware versions 7.2.0-7015.
“The speed and success of these attacks strongly suggest that zero-day vulnerabilities are being exploited in the wild, even in environments with MFA enabled,” the cybersecurity company said. “This is an important, continuous threat.”
Source link
