Skip to content

Defense Digests

Recent SSLVPN Threat Activity Targeting SonicWall Gen 7 Firewalls

d3

Table of content

Vulnerability Number: Pending

Severity Level: High – 8.5 (Preliminary Assessment)

Updated as of 8.11.2025

Executive Summary

Recently, SonicWall reported a surge in cyber incidents targeting Gen‑7 (and newer) firewalls that have SSLVPN enabled. Initially speculated to be due to a zero‑day exploit, SonicWall now confirms the threat is linked to a previously disclosed vulnerability (CVE‑2024‑40766), particularly for systems migrated from Gen‑6 to Gen‑7 where local user passwords were not reset as recommended.

Details

SonicWall devices migrated from Gen‑6 to Gen‑7 may retain old local user accounts that are vulnerable to brute-force and credential stuffing attacks.

Malicious actors are actively exploiting these accounts—even when MFA is enabled—resulting in full administrative access, lateral movement, data exfiltration, and Akira ransomware deployment.

Reports show compromised environments had fully patched firewalls, confirming that configuration issues, rather than a zero-day vulnerability, are being abused.

Attackers are leveraging legitimate VPN sessions, bypassing weak password policies and exploiting lack of hardening in migrated environments.

Impact

Successful exploitation of configuration issues in SonicWall Gen 7 SSLVPN services could allow attackers to perform the following:

  • Remote access compromise: Attackers are gaining VPN-level access using valid local credentials.
  • Privilege escalation: Unauthorized access allows elevation to administrative roles.
  • Lateral movement & persistence: Internal resources are being scanned and abused using built-in OS tools and scripting.
  • Data exfiltration: Sensitive business data is being exfiltrated prior to ransomware payload execution.
  • Ransomware deployment: Akira ransomware has been deployed in multiple environments post-compromise.

Mitigation Strategies

We strongly recommend the following actions for all clients using SonicWall Gen‑7 firewalls:

  1. Upgrade Firmware:
    Immediately update to SonicOS 7.3.0 or later, which includes enhancements to SSLVPN protection and brute-force mitigation.
  2. Reset Local User Passwords:
    Especially for accounts migrated from Gen‑6; reset all local SSLVPN user accounts regardless of MFA status.
  3. Enable Security Services:
    Activate Botnet Protection and Geo-IP Filtering to block known threat actor infrastructure.
  4. Remove Inactive Users:
    Delete or disable any local user accounts not in active use to reduce the attack surface.
  5. Enforce Strong Password Policies:
    Apply complex password requirements and disable accounts after a defined number of failed login attempts.
  6. Maintain Multi-Factor Authentication:
    While not foolproof, MFA remains a critical layer of defense and should be enforced on all remote access users.
  7. Audit Configurations:
    Conduct a full review of SonicWall and SSLVPN settings post-migration to validate adherence to current best practices.

Sources

Contributing Authors

  • Kate Burkova, Cybersecurity Analyst, Dataprise
  • Nima Khamooshi, Chief Information Security Officer, Dataprise

Recent Tweets

INSIGHTS

Learn about the latest threats and vulnerabilities with our D3 alerts.

Subscribe to get real-time notifications when a new Dataprise Defense Digest is published.