SonicWall mentioned it is actively investigating studies to find out if there’s a new zero-day vulnerability following studies of a spike in Akira ransomware actors in late July 2025.
“Over the previous 72 hours, there was a notable improve in each internally and externally reported cyber incidents involving Gen 7 SonicWall firewalls the place SSLVPN is enabled,” the community safety vendor mentioned in a press release.
“We’re actively investigating these incidents to find out whether or not they’re linked to a beforehand disclosed vulnerability or if a brand new vulnerability could also be accountable.”
Whereas SonicWall is digging deeper, organizations utilizing Gen 7 SonicWall firewalls are suggested to observe the steps under till additional discover –
- Disable SSL VPN companies the place sensible
- Restrict SSL VPN connectivity to trusted IP addresses
- Activate companies akin to Botnet Safety and Geo-IP Filtering
- Implement multi-factor authentication
- Take away inactive or unused native person accounts on the firewall, significantly these with SSL VPN entry
- Encourage common password updates throughout all person accounts
The event comes shortly after Arctic Wolf revealed it had recognized a surge in Akira ransomware exercise focusing on SonicWall SSL VPN gadgets for preliminary entry since late final month.
Huntress, in a follow-up evaluation revealed Monday, additionally mentioned it has noticed menace actors pivoting on to area controllers merely just a few hours after the preliminary breach.
Assault chains start with the breach of the SonicWall equipment, adopted by the attackers taking a “well-worn” post-exploitation path to conduct enumeration, detection evasion, lateral motion, and credential theft.
The incidents additionally contain the unhealthy actors methodically disabling Microsoft Defender Antivirus and deleting quantity shadow copies previous to deploying Akira ransomware.
Huntress mentioned it detected round 20 completely different assaults tied to the newest assault wave beginning on July 25, 2025, with variations noticed within the tradecraft used to drag them off, together with in the usage of instruments for reconnaissance and persistence, akin to AnyDesk, ScreenConnect, or SSH.
There may be proof to recommend that the exercise could also be restricted to TZ and NSa-series SonicWall firewalls with SSL VPN enabled, and that the suspected flaw exists in firmware variations 7.2.0-7015 and earlier.
“The velocity and success of those assaults, even towards environments with MFA enabled, strongly recommend a zero-day vulnerability is being exploited within the wild,” the cybersecurity firm mentioned. “It is a crucial, ongoing menace.”