SonicWall VPN Zero-Day Vulnerability Actively Exploited, Over 20 Targeted Attacks Reported

• Ongoing exploit: Security researchers noticed a SonicWall VPN flaw being exploited in ongoing zero-day attacks.
• Attack details: Threat actors gained access by breaching the VPN app itself and subsequently engaged in post-exploitation activity.
• Flaw risks: Cybercriminals can bypass MFA, and deployments of Akira ransomware have been observed.

A critical SonicWall VPN vulnerability is being actively exploited in the wild, prompting the network security vendor to issue an urgent cybersecurity advisory. Threat actors are leveraging a zero-day exploit to bypass multi-factor authentication (MFA) and deploy ransomware within hours of initial compromise, including Akira.  

Attack Details  

The exploit targets SonicWall’s seventh-generation firewall appliances running firmware version 7.2.0-7015 or earlier. Attackers gain initial access by breaching the VPN appliance itself, followed by rapid post-exploitation activities, the advisory said.

Post-exploitation techniques are linked to enumeration, detection evasion, lateral movement, and credential theft and vary based on the incident, a Huntress report said, adding that the attacks may be limited to TZ and NSa-series devices.

Arctic Wolf observed a July 2025 uptick in Akira Ransomware activity targeting SonicWall SSL VPN. Huntress also published an advisory on the same matter, saying it detected around 20 different attacks starting on July 25, 2025.

Key tactics identified include:

• Credential theft through scripts that extract sensitive data from backup databases and Active Directory.
• Command-and-Control (C2) setup using tools like Cloudflare tunnels and OpenSSH for persistence.
• Lateral movement using PowerShell Remoting and WMI to extend their presence across the network; they also run scripts to dump and decrypt credentials from Veeam Backup databases.
• Ransomware deployment, with attackers using frameworks such as Akira ransomware after disabling security defenses.  

Cybersecurity Implications  

This vulnerability poses a severe risk to organizations relying on SonicWall VPNs, as adversaries can escalate privileges, evade detection, and deliver high-impact payloads such as ransomware. Compromises of this nature can significantly disrupt business operations and result in substantial data breaches.  

Recommended Actions  

Huntress advises organizations to address this zero-day exploit immediately by taking the following steps:

• Disable SSL VPN services on SonicWall devices until a patch is available.  
• If disabling the service is not feasible, restrict access to trusted IP addresses through allow-listing.  
• Audit service accounts to enforce the principle of least privilege and eliminate over-privileged roles.  
• Monitor environments for Indicators of Compromise (IOCs), such as attacker-managed IP addresses or malware-related executables.  

In February, TechNadu reported on SonicWall SSL VPN sessions being exposed to hijacking due to a critical vulnerability.