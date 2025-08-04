Security experts have warned of a possible zero-day vulnerability in SonicWall SSL VPNs after noting a surge in ransomware attacks targeting the devices for initial access.

Arctic Wolf claimed in a security notice on Friday that it had observed “multiple pre-ransomware intrusions” in late July “within a short period of time.”

“While credential access through brute force, dictionary attacks, and credential stuffing have not yet been definitively ruled out in all cases, available evidence points to the existence of a zero-day vulnerability,” it continued.

“In some instances, fully patched SonicWall devices were affected following credential rotation. Despite TOTP [time-based one-time password] MFA being enabled, accounts were still compromised in some instances.”

In all of the cases observed by the security vendor, threat actors achieved VPN access through SonicWall SSL VPNs. There then followed a short interval before ransomware encryption, said Arctic Wolf.

“In contrast with legitimate VPN logins which typically originate from networks operated by broadband internet service providers, ransomware groups often use Virtual Private Server hosting for VPN authentication in compromised environments,” it added.

Malicious VPN logins have been observed by the firm since October 2024, although the most recent uptick in activity began on July 15 2025, Arctic Wolf said.

It urged SonicWall SSL VPN customers to:

Consider disabling the service until a patch is deployed (assuming the attacks stem from a zero-day vulnerability)

Enable SonicWall log monitoring through the Arctic Wolf Managed Detection and Response service

Enable security services such as botnet protection to help detect threat actors that target SSL VPN endpoints

Enforce multi-factor authentication (MFA) for all remote access to reduce the risk of credential abuse

Remove unused or inactive local firewall user accounts, particularly those with SSL VPN access

Practice good password hygiene such as encouraging periodic password updates across all user accounts

Review hosting-related ASNs (listed in the blog) and consider blocking their corresponding CIDR ranges for VPN authentication

Network edge devices like VPNs, firewalls and routers are a popular target for ransomware actors given that they’re connected to the public internet, but also provide access to sensitive corporate resources. Often such devices are not covered by endpoint detection and response (EDR), creating a security blind spot for network defenders.

SonicWall shared the following response with Infosecurity:

"SonicWall is actively investigating a recent increase in reported cyber incidents involving a number of Gen 7 firewalls running various firmware versions with SSLVPN enabled. These cases have been flagged both internally and by third-party threat research teams, including Arctic Wolf, Google Mandiant, and Huntress. We are working closely with these organizations to determine whether the activity is tied to a previously disclosed vulnerability or represents a zero-day vulnerability."