SonicWall has released an advisory regarding a malicious campaign targeting Gen 7 SonicWall firewalls through a possible zero-day vulnerability in the SSL VPN, which is being actively exploited to deploy ransomware.
According to security researchers from Arctic Wolf and Huntress, threat actors have successfully compromised accounts even in environments with MFA enabled. Additionally, some fully patched SonicWall devices were also affected, suggesting that attackers may be leveraging an undisclosed vulnerability.
In its official advisory, SonicWall stated, “We are actively investigating these incidents to determine whether they are connected to a previously disclosed vulnerability or if a new vulnerability may be responsible.” A temporary workaround has been provided while the investigation remains ongoing.
_____________________________
A. Nature of the Vulnerability
Unknown
As of this writing, SonicWall’s investigation is still ongoing to determine whether threat actors are exploiting a previously disclosed vulnerability or an unknown zero-day vulnerability.
_____________________________
B. Nature of the Attack
Initial Access
The initial access involved the exploitation of an undisclosed vulnerability in SonicWall, which allowed threat actors to gain access to the victim’s environment.
Post Exploitation Access
Once the threat actor gained access to the victim’s environment, they leveraged administrative access by using valid, over-privileged LDAP or service accounts associated with the SonicWall device (e.g., sonicwall, LDAPAdmin). To maintain persistence, the threat actor deployed Cloudflared tunnels and OpenSSH under C:\ProgramData for command and control access. Using accounts with elevated privileges, they moved laterally via WMI and PowerShell Remoting, and executed scripts to extract credentials from Veeam backup databases and the Active Directory NTDS.dit file. They also disabled security controls using native Windows tools such as Set-MpPreference and netsh.exe before deleting Volume Shadow Copies and deploying the Akira ransomware.
_____________________________
C. Indicators of Compromise (IoCs)
| 42.252.99[.]59 | IP Address |
| 45.86.208[.]240 | IP Address |
| 77.247.126[.]239 | IP Address |
| 104.238.205[.]105 | IP Address |
| 104.238.220[.]216 | IP Address |
| 181.215.182[.]64 | IP Address |
| 193.163.194[.]7 | IP Address |
| 193.239.236[.]149 | IP Address |
| 194.33.45[.]155 | IP Address |
| d080f553c9b1276317441894ec6861573fa64fb1fae46165a55302e782b1614d | SHA256 |
_____________________________
D. Actions to be Taken
CERT-PH recommends the following actions be taken:
- While the investigation is ongoing, SonicWall strongly advises customers using Gen 7 SonicWall firewalls to take the following precautionary measures:
- Disable the SSL VPN feature if it is not in use
- Limit SSL VPN connectivity to trusted IP addresses
- Enable multi-factor authentication to add an additional layer of security
- Remove unused or inactive accounts
- Enforce strong password hygiene practices
- Stay informed by regularly monitoring official SonicWall advisories and cybersecurity news sources for updates related to this threat.
- Proactively monitor logs and network traffic on identified systems and devices for any suspicious or malicious activities.
- Indicators of compromise are included in this report to support threat hunting and blocking purposes
- For additional information, kindly refer to the official report
- https://www.sonicwall.com/support/notices/gen-7-sonicwall-firewalls-sslvpn-recent-threat-activity/250804095336430
- https://www.huntress.com/blog/exploitation-of-sonicwall-vpn
- https://arcticwolf.com/resources/blog/arctic-wolf-observes-july-2025-uptick-in-akira-ransomware-activity-targeting-sonicwall-ssl-vpn/