New Advisory: Critical SonicWall SSL-VPN Zero-Day Exploit

ⓘ We are reaching out to let you know about a zero-day security vulnerability in Gen 7 SonicWall firewalls that attackers are currently exploiting.
Advisory Overview


Advisory Type Technical
Author Emilio Smith
Date 15 August 2025

There is an ongoing threat of attacks from the Akira ransomware group targeting Gen 7 SonicWall firewalls where SSL-VPN has been enabled. This group is exploiting a zero-day vulnerability, allowing them to bypass firewall security controls, including multifactor authentication (MFA). As a result, they can access internal network environments to conduct malicious activity. Research reveals that even fully patched systems are still vulnerable to this exploit. CIRT-BS continue to monitor this vulnerability and we will provide future updates.

What’s Happening


Affected Systems Gen 7 SonicWall firewalls with SSL-VPN enabled, though the impact may be limited to TZ and NSa models running firmware versions 7.20 – 7015.
What this Means This zero-day allows attackers to bypass security controls, including multi-factor authentication. Exploiting this flaw, threat actors gain administrative access, disable security tools like Microsoft Defender, move laterally across the network to domain controllers, steal credentials, and ultimately deploy Akira ransomware. This vulnerability enables a rapid and effective attack chain, posing a critical and ongoing threat.
What to Look For


Signs You May Be at Risk You are at risk if you are using any Gen 7 SonicWall firewall where SSL-VPN is enabled.
Signs You May Be Affected Signs of a compromise may include:

  • Encrypted systems.
  • Unauthorised changes to security controls.
  • Suspicious movement in your network
  • Unauthorised use of privileged accounts.
  • Unusual usage of remote desktop applications.
What to Do


Mitigation If you have this appliance in your environment, take the steps outlined below (not in any particular order).

  • Disable SSL-VPN service where practical.
  • Limit SSL-VPN connectivity to trusted source IPs.
  • Enforce multi-factor authentication (MFA).
  • Remove inactive or unused local user accounts that have SSL-VPN on the firewall.
  • Encourage regular password updates across all user accounts.
  • Activate services such as Botnet Protection and Geo-IP Filtering.
  • Where possible, monitor your environment for any unusual activities or changes.
  • Report the issues to CIRT-BS at [email protected].
Official Information


  • https://thehackernews.com/2025/08/sonicwall-investigating-potential-ssl.html
  • https://arcticwolf.com/resources/blog/arctic-wolf-observes-july-2025-uptick-in-akira-ransomware-activity-targeting-sonicwall-ssl-vpn
  • https://www.darkreading.com/threat-intelligence/akira-sonicwall-firewalls-zero-day
  • https://therecord.media/sonicwall-possible-zero-day-gen-7-firewalls-ssl-vpn

Should you require additional information or further support, submit a report on our website or contact us at [email protected].

 

Scroll to Top
Skip to content