A surge in ransomware attacks via SonicWall SSL VPN has prompted urgent warnings from cybersecurity firms. In mid‑July 2025, Arctic Wolf Labs, Huntress, and other researchers detected a series of breaches in Gen 7 SonicWall firewalls, including fully patched systems protected by multi‑factor authentication (MFA). Alarmingly, the attacks progressed swiftly from VPN access to ransomware deployment, raising strong suspicions of an undisclosed zero‑day vulnerability. SonicWall has confirmed it is actively investigating whether these incidents involve a new flaw or a previously resolved bug.
Evidence Mounts of Zero-Day Exploits
Security firms noted that despite credential rotation and MFA protections, dozens of SonicWall devices were breached. Arctic Wolf highlighted that many intrusions appeared to originate from Virtual Private Server‑hosted logins, diverging from legitimate broadband sources. Huntress tracked at least 20 distinct attacks beginning July 25, observing a rapid escalation from breach to ransomware deployment. Once attackers gained VPN access, they deployed a backdoor known as Overstep, compromised privileged accounts, disabled security tools like Microsoft Defender, and ultimately deployed Akira ransomware. The victim’s environments faced swift lateral movement and credential theft.
FCRF Launches India’s Premier Certified Data Protection Officer Program Aligned with DPDP Act
Initial Response and Safety Measures
According to the network security vendor, there has been a notable increase in both internally and externally reported cyber incidents involving Gen 7 SonicWall firewalls where SSLVPN is enabled. Over the past 72 hours, they have been actively investigating these incidents to determine whether they are connected to a previously disclosed vulnerability or if a new vulnerability may be responsible. However, for the time being, SonicWall digs deeper. Organizations using Gen 7 SonicWall firewalls have been advised to follow the steps below until further notice –
- Disabling SSL VPN services where practical
- Limiting SSL VPN connectivity to trusted IP addresses
- Activating services such as Botnet Protection and Geo-IP Filtering
- Enforcing multi-factor authentication
- Removing inactive or unused local user accounts on the firewall, particularly those with SSL VPN access
- Encouraging regular password updates across all user accounts
The speed and success of these attacks, even against environments with MFA enabled, strongly suggest a zero-day vulnerability is being exploited in the wild. This is a critical, ongoing threat, and with the speed and sophistication of these exploits, even in environments protected by standard safeguards, it highlights cybercrime’s escalating reach. This suspected zero‑day could mark a critical turning point in network defense strategy.