SonicWall examining potential zero-day vulnerability linked to firewall breaches
SonicWall, a leading network security provider, is currently investigating a surge in attacks targeting its Gen 7 firewalls. These attacks share similarities with a series of hacks last year involving the vulnerability CVE-2024-40766.
Since mid-July 2025, the Akira ransomware affiliates have been exploiting SonicWall Gen 7 firewalls by abusing the SSL VPN functionality, leading to unauthorized access and ransomware deployments. Initial speculation suggested a potential zero-day exploit, but investigations revealed the attacks leverage the known CVE-2024-40766, an improper access control flaw affecting SonicWall SonicOS management and SSL-VPN components.
Many affected organizations had migrated from SonicWall Gen 6 to Gen 7 firewalls and carried over legacy local user credentials (passwords) without resetting them, contrary to SonicWall’s advisory. This reuse of legacy credentials, combined with suboptimal hardening, provided an entry point for attackers.
Attacks involved techniques such as brute-force, credential stuffing, and attempts to bypass multifactor authentication (MFA), exploiting weaknesses tied to legacy credentials and configurations rather than any unknown flaw.
SonicWall strongly recommends upgrading to SonicOS version 7.3 or later, which includes enhanced protections against credential-based attacks including brute-force and MFA bypass attempts, and resetting all local user passwords after migration to Gen 7 firewalls. Auditing and hardening SSL-VPN configurations is also critical.
Fewer than 40 confirmed cases have been reported so far, and SonicWall has stated with high confidence that there is no zero-day exploited in the recent attack wave.
In addition to SonicWall's findings, security firms like Huntress and Sophos have reported incidents related to these attacks. Huntress has observed approximately 20 such attacks since July 25, and Sophos has reported 10 incidents since July 23.
However, John Hammond, principal security researcher at Huntress, has moderate to high confidence of a zero-day linkage. He believes the attacks are targeting fully patched devices after their users had rotated credentials. The vulnerability in question involves versions 7.2.0-7015 and earlier of SonicWall firewalls.
Hammond is still working on the root cause analysis of the attacks. The attacks started on July 15, as reported by Arctic Wolf on Aug. 1. It's important to note that while the attacks are primarily observed in U.S.-based organizations, they are not limited to the U.S.
SonicWall is advising customers to disable SSLVPN services when practical, limit SSL VPN to trusted sources, enforce multifactor authentication, enable botnet filtering and Geo-IP filtering, delete unused accounts, and encourage all users to update their passwords.
As the investigation continues, SonicWall and the security community will provide updates and guidance to help organizations protect their networks from these attacks.
- The recent surge in attacks on SonicWall Gen 7 firewalls, similar to last year's hacks, exploit the vulnerability CVE-2024-40766, an improper access control flaw.
- Many affected organizations, upon migrating from SonicWall Gen 6 to Gen 7 firewalls, failed to reset legacy local user passwords, providing an entry point for attackers.
- John Hammond, a principal security researcher at Huntress, suspects the presence of a zero-day in these attacks, targeting fully patched devices with rotated credentials, potentially involving versions 7.2.0-7015 and earlier of SonicWall firewalls.
- SonicWall advises customers to take preventive measures such as disabling SSLVPN services, limiting SSL VPN to trusted sources, enforcing multifactor authentication, botnet filtering, and Geo-IP filtering, deleting unused accounts, and updating passwords.
- The investigation into these attacks is ongoing, with SonicWall and the security community providing updates and guidance to help businesses protect their data and cloud computing systems in the face of cyber threats like ransomware.
