Recent SSLVPN Threat Activity Targeting SonicWall Gen 7 Firewalls

Vulnerability Number: Pending

Severity Level: High – 8.5 (Preliminary Assessment)

Executive Summary

Over the past 72 hours, there has been a significant increase in both internally and externally reported cyber incidents involving SonicWall Gen 7 firewalls where SSLVPN services are enabled. Threat intelligence teams from Arctic Wolf, Google Mandiant, and Huntress have also highlighted related suspicious activity. While it is not yet confirmed whether these incidents are tied to a previously disclosed vulnerability or a newly discovered flaw, the activity level and targeting pattern warrant immediate defensive action.

Details

Multiple security monitoring teams have observed heightened threat activity directed at SonicWall Gen 7 SSLVPN endpoints. These incidents appear to involve advanced reconnaissance and exploitation attempts that could potentially allow unauthorized access to corporate networks.

It remains unclear if attackers are leveraging a known vulnerability or exploiting a newly discovered weakness. Our security team, in collaboration with external threat research partners, is actively investigating the situation to identify indicators of compromise (IOCs), assess potential exploitation methods, and confirm whether a patch or updated firmware will be required.

Until definitive technical confirmation is available, the threat is considered active and credible based on the frequency of incidents, the sophistication of observed activity, and the targeted nature of the attacks.

Impact

Successful exploitation of a vulnerability in SonicWall Gen 7 SSLVPN services could allow attackers to:

• Bypass authentication controls, potentially including Multi-Factor Authentication (MFA)
• Gain unauthorized access to corporate networks
• Move laterally within compromised environments
• Deploy additional malware or ransomware payloads
• Steal sensitive data or credentials

Given the widespread deployment of SonicWall firewalls, the risk of widespread exploitation is high, especially for organizations exposing SSLVPN services to the internet.

Mitigation Strategies

We strongly recommend implementing the following measures immediately to reduce exposure while the investigation continues:

1. Disable SSLVPN Services Where Practical
   • If remote connectivity is not mission-critical, turn off SSLVPN access entirely.
2. Restrict Access to Trusted IPs
   • If SSLVPN must remain enabled, limit inbound connections to known, trusted IP address ranges.
3. Enable Security Services
   • Activate Botnet Protection and Geo-IP Filtering to block known threat actor infrastructure.
4. Enforce Multi-Factor Authentication (MFA)
   • Require MFA for all remote access accounts.
   • Note: Some reports suggest MFA alone may not prevent the activity under investigation.
5. Remove Unused Accounts
   • Immediately delete any inactive or unused local accounts, especially those with SSLVPN access.
6. Practice Good Password Hygiene
   • Require all users to update passwords, particularly for accounts with remote access.

Sources

• https://www.sonicwall.com/support/notices/gen-7-sonicwall-firewalls-sslvpn-recent-threat-activity/250804095336430
• https://www.huntress.com/blog/exploitation-of-sonicwall-vpn

Contributing Authors

• Kate Burkova, Cybersecurity Analyst, Dataprise
• Nima Khamooshi, Chief Information Security Officer, Dataprise