SonicWall said it’s actively investigating reports to determine if there is a new zero-day vulnerability following reports of a spike in Akira ransomware actors in late July 2025.
“Over the past 72 hours, there has been a notable increase in both internally and externally reported cyber incidents involving Gen 7 SonicWall firewalls where SSLVPN is enabled,” the network security vendor said in a statement.
“We are actively investigating these incidents to determine whether they are connected to a previously disclosed vulnerability or if a new vulnerability may be responsible.”
While SonicWall is digging deeper, organizations using Gen 7 SonicWall firewalls are advised to follow the steps below until further notice –
- Disable SSL VPN services where practical
- Limit SSL VPN connectivity to trusted IP addresses
- Activate services such as Botnet Protection and Geo-IP Filtering
- Enforce multi-factor authentication
- Remove inactive or unused local user accounts on the firewall, particularly those with SSL VPN access
- Encourage regular password updates across all user accounts
The development comes shortly after Arctic Wolf revealed it had identified a surge in Akira ransomware activity targeting SonicWall SSL VPN devices for initial access since late last month.
Huntress, in a follow-up analysis published Monday, also said it has observed threat actors pivoting directly to domain controllers merely a few hours after the initial breach.
Attack chains commence with the breach of the SonicWall appliance, followed by the attackers taking a “well-worn” post-exploitation path to conduct enumeration, detection evasion, lateral movement, and credential theft.
The incidents also involve the bad actors methodically disabling Microsoft Defender Antivirus and deleting volume shadow copies prior to deploying Akira ransomware.
Huntress said it detected around 20 different attacks tied to the latest attack wave starting on July 25, 2025, with variations observed in the tradecraft used to pull them off, including in the use of tools for reconnaissance and persistence, such as AnyDesk, ScreenConnect, or SSH.
There is evidence to suggest that the activity may be limited to TZ and NSa-series SonicWall firewalls with SSL VPN enabled, and that the suspected flaw exists in firmware versions 7.2.0-7015 and earlier.
“The speed and success of these attacks, even against environments with MFA enabled, strongly suggest a zero-day vulnerability is being exploited in the wild,” the cybersecurity company said. “This is a critical, ongoing threat.”
