SonicWall VPNs are being actively targeted due to a zero-day vulnerability that allows attackers to circumvent multi-factor authentication (MFA) and install ransomware.

A likely zero-day vulnerability in SonicWall’s Secure Mobile Access (SMA) VPNs and firewall appliances is currently being exploited in the wild, allowing attackers to bypass multi-factor authentication (MFA) and deploy ransomware within hours of breaching the system. Security firms such as Huntress, Arctic Wolf, and Sophos have reported a significant increase in high-severity incidents targeting these devices, highlighting a critical and ongoing threat to organisations that depend on them. The attacks follow a rapid and consistent playbook, commencing with a breach of the SonicWall appliance itself. Security researchers at Huntress, who have been addressing a surge of these incidents since late July 2025, indicate that the speed and success of the attacks, even in environments with MFA enabled, strongly suggest an unpatched vulnerability.

Once threat actors establish an initial foothold, they quickly compromise the entire network. Attackers have been observed leveraging over-privileged service accounts, such as LDAP or administrative accounts associated with the SonicWall device, to gain administrative access. To ensure persistent access, they deploy tools like Cloudflared tunnels and OpenSSH, effectively creating a backdoor into the compromised network. With elevated privileges, attackers utilise a combination of automated scripts and hands-on techniques to move laterally. They have been seen using WMI and PowerShell Remoting to navigate the network, dump credentials from Veeam Backup databases, and exfiltrate the Active Directory database (NTDS.dit) for offline password cracking. Before deploying the final payload, attackers systematically dismantle security defences, disabling Microsoft Defender and modifying firewall rules to facilitate their remote access. The final stage involves deleting Volume Shadow Copies to hinder system recovery, followed by the deployment of Akira ransomware. Security experts urgently recommend that organisations disable their SonicWall SSL VPN access until an official patch is released. If disabling the VPN is impractical for business operations, access should be severely restricted to a whitelist of known, trusted IP addresses. Additionally, it is crucial to audit service accounts to ensure they operate under the principle of least privilege.