SonicWall is looking into a possible zero-day vulnerability in its SSL VPN following reports of over 20 targeted attacks.

SonicWall is currently investigating reports of a potential new zero-day vulnerability following a significant increase in Akira ransomware activity targeting Gen 7 SonicWall firewalls with SSL VPN enabled. Over the past 72 hours, both internal and external reports have indicated a surge in cyber incidents related to these devices. SonicWall is working to determine whether these incidents are linked to a previously disclosed vulnerability or if a new one has emerged. In the meantime, organisations using Gen 7 SonicWall firewalls are advised to take precautionary measures, including disabling SSL VPN services where feasible, limiting connectivity to trusted IP addresses, activating Botnet Protection and Geo-IP Filtering, enforcing multi-factor authentication, and regularly updating passwords across all user accounts.

The recent spike in Akira ransomware activity was highlighted by Arctic Wolf, which noted that threat actors have been targeting SonicWall SSL VPN devices for initial access since late July 2025. Huntress also reported that attackers have been quickly pivoting to domain controllers within hours of breaching the SonicWall appliance. The attack chains typically involve enumeration, detection evasion, lateral movement, and credential theft, with attackers disabling Microsoft Defender Antivirus and deleting volume shadow copies before deploying the ransomware. Evidence suggests that the activity may be confined to TZ and NSa-series SonicWall firewalls running firmware versions 7.2.0-7015 and earlier. The rapid success of these attacks, even in environments with multi-factor authentication, indicates a critical ongoing threat that may involve a zero-day vulnerability being exploited in the wild.