SonicWall Gen 7 SSLVPN Threat Advisory

What you should know about the ongoing SonicWall SSLVPN attacks

Executive Summary

SonicWall is investigating a surge in cyber-incidents targeting Gen 7 firewalls with SSLVPN enabled. Third-party researchers report that threat actors, most notably Akira ransomware affiliates, may be exploiting a zero-day or abusing valid VPN credentials. Exploitation often leads to rapid lateral movement, Defender tampering, shadow-copy deletion, and full-environment encryption within hours.

Action is required immediately. Below we outline SonicWall’s official mitigation steps.

What We Know So Far

  • Spike in attacks: SonicWall observed a notable uptick in incidents over the last 72 hours against Gen 7 devices running various firmware versions with SSLVPN active.
  • Potential zero-day: Some compromised firewalls were fully patched, suggesting an undisclosed vulnerability; credential theft has not been ruled out.
  • Post-exploitation activity: Huntress notes rapid pivot to domain controllers, use of remote-access tools (AnyDesk, ScreenConnect, SSH), and ransomware deployment soon after initial VPN access.
  • Targets & impact: Akira has hit hundreds of organizations worldwide, including higher-education, manufacturing, and healthcare-sectors that frequently rely on SonicWall appliances for edge protection.

Official SonicWall Mitigation Guidance

SonicWall urges all Gen 7 customers to adopt the following controls until further notice:

  1. Disable SSLVPN services where operationally practical.
  2. Restrict SSLVPN access to trusted IP addresses (IP allow-listing).
  3. Enable Security Services
    • Botnet Protection
    • Geo-IP Filtering
  4. Enforce Multi-Factor Authentication (MFA) for all remote access.
  5. Remove unused or inactive local firewall accounts, especially those with SSLVPN rights.
  6. Mandate strong, regularly rotated passwords for every account.
  1. Apply SonicWall’s mitigations immediately, disabling SSLVPN wherever feasible.
  2. Forward SonicWall logs to Meridian Ensure that your SonicWall systems are sending logs to Meridian Security Operations (Syslog or API pull).
  3. Prepare for patching: Monitor SonicWall advisories for firmware updates and schedule maintenance windows.
    • Meridian Vulnerability Management - Customers utilizing Vulnerability Management will be notified immediately once a patch becomes available.
  4. Contact CulperSec SOC for 24/7 monitoring or incident-response assistance.

Conclusion

The SonicWall Gen 7 SSLVPN campaign underscores how perimeter devices can become a primary foothold for ransomware actors. By combining SonicWall’s immediate hardening steps with Meridian’s real-time SIEM analytics and Aegis response, organizations gain the layered defense required to detect and contain these fast-moving intrusions.

Got a question?
Reach out!

Connect with our team today to find out how much you can save over your current cybersecurity solution!

Connect with our experts