A suspected zero-day vulnerability in SonicWall Gen 7 SSL VPN appliances is being actively exploited by threat actors to bypass multi-factor authentication (MFA), gain unauthorized access to internal networks, and deploy ransomware, primarily Akira. As of early August 2025, no CVE has been assigned, and SonicWall has yet to confirm the precise technical vector. However, incident telemetry and third-party forensics indicate on-going targeted exploitation of the SSL VPN functionality in Gen 7 firewall firmware.

The adversaries appear to exploit this suspected zero-day to authenticate to the management interface or VPN portal without valid credentials or MFA tokens. Post-access, they perform extensive internal reconnaissance, credential harvesting, and lateral movement, culminating in the deployment of Akira ransomware payloads (Huntress, 2025, Artic Wolf, 2025).

Vulnerability Type

The vulnerability is currently unclassified and not associated with a public CVE. Based on behavioral analysis and available vendor reporting, the flaw enables MFA bypass on the SonicWall SSL VPN portal. While the exact exploit mechanism remains unknown, affected devices had SSL VPN and management interfaces exposed to the internet.

Observations based on public reporting:

• MFA was bypassed mainly without brute-force or credential stuffing
• Access appeared to use valid user sessions or exploited trust relationships
• Affected appliances were running outdated firmware

Arctic Wolf emphasized that the access patterns did not resemble password guessing or credential stuffing attacks, suggesting a previously unknown exploit path (Huntress, 2025, Arctic Wolf, 2025).

Impacted Versions

Sonicwall Gen 7 firewalls (TZ, NSa series)

• Suspected: SonicOS 7.2.0-7015 and earlier

According to SonicWall’s official advisory published on August 4, 2025, impacted organizations had SSL VPN enabled.

Mitigation Steps

Consolidated recommendations from SonicWall, Huntress, and Arctic Wolf include:

1. Disable SSLVPN Services Where Practical
   • Strongly advised to disable SonicWall SSL VPN access until an official patch is released.
2. Restrict SSLVPN Access
   • If SSL VPN must remain enabled, restrict it to a minimal allow-list of trusted source IPs.
   • Segment network access from the VPN to prevent lateral movement to critical systems.
3. Enable Security Services
   • Activate Botnet Protection and Geo-IP Filtering on the firewall.
4. Enforce Multi-Factor Authentication (MFA)
   • Enable MFA for all remote access.
   • Note: MFA alone may not prevent this specific exploit.
5. Remove Unused or Inactive Accounts
   • Delete any unused local firewall accounts, especially those with SSL VPN access.
6. Audit Service Accounts
   • Ensure SonicWall or LDAP accounts do not have unnecessary privileges such as Domain Admin.
   • Follow the principle of least privilege.
7. Practice Good Password Hygiene
   • Encourage regular password changes across all user accounts.
8. Block VPN Authentication from Suspicious Hosting ASNs
   • Consider blocking VPN logins from the following ASNs:
     • AS23470: ReliableSite.Net LLC
     • AS215540: Global Connectivity Solutions LLP
     • AS64236: UnReal Servers, LLC
     • AS14315: 1GSERVERS, LLC
     • AS62240: Clouvider Limited
   • Note: Block only for VPN authentication to avoid operational disruption.
9. Threat Hunting
   • Use available IOCs to hunt for signs of compromise across internal systems.

Exploit Process

The attack chain observed in incidents involving SonicWall appliances reflects a well-rehearsed, modular playbook. While the initial access vector remains the SonicWall SRA or SMA series devices, the post-exploitation activity has followed a familiar progression across incidents. This includes host and network reconnaissance, installation of remote management tooling, evasion of endpoint defenses, credential theft, and ransomware deployment. The following breakdown summarizes confirmed activity reported publicly by Huntress.

Initial Access

• Exploit of Edge Appliance: Attackers gain access by exploiting a zero-day or unpatched vulnerability in Gen 7 SonicWall SMA devices.
• Use of Over-Privileged Accounts: Access is often gained via over-privileged local or LDAP-linked accounts such as sonicwall or LDAPAdmin. These accounts are logged into via RDP, logging into compromised accounts, or, in some cases, brute forcing.

Post-Exploitation Tactics

Enumeration

• Network Scanning and Domain Reconnaissance After gaining a foothold, attackers survey the network to identify reachable systems, trust relationships, and AD structures.
  • Tools: Advanced_IP_Scanner, netscan.exe, nltest, and PowerShell AD cmdlets.
  • Example Commands:
    • nltest.exe /trusted_domains : Lists trusted domains.
    • Install-WindowsFeature RSAT-AD-PowerShell : Installs tools for querying Active Directory.
    • Get-ADComputer -Filter * : Enumerates all domain-joined computers.

Persistence

• Installation of RMM Tools Remote access tools such as AnyDesk, ScreenConnect, and OpenSSH were deployed to maintain persistent access.
  • Deployed via: msiexec.exe /i "C:\\ProgramData\\OpenSSHa.msi"
• Account Creation and Privilege Escalation
  • New users added to local or domain groups:
    • net user lockadmin Msnc?42da /add
    • net group "Domain Admins" azuresync /add
  • Hidden accounts created using registry edits:
    • reg add "HKLM\\...\\Winlogon\\SpecialAccounts\\UserList" /t REG_DWORD /v commuser /d 0 /f

Lateral Movement

• Remote Execution Techniques Attackers moved laterally using:
  • WMI: wmic /node:TARGET cmd /c <payload>
  • PowerShell Remoting: For interactive sessions or remote script execution.
  • RDP Brute Force: Attempts to authenticate across systems using stolen or guessed credentials.
• Domain Controller Targeting
  • Example: wbadmin.exe start backup : Used to extract Active Directory database.

Credential Theft

• Exfiltration of Credentials from Browsers

  • Chrome/Edge password stores copied directly from user profiles.

    Example: copy "...\\Edge\\User Data\\Default\\Login Data" "C:\\Windows\\Temp\\..."

• Custom Scripts for Dumping Credentials
  • Example: Veeam_Dump_Postgresql.ps1 : Used to extract backup system credentials.

Defense Evasion

• Disabling Windows Defender and Firewalls
  • PowerShell and CLI commands used
    • SystemSettingsAdminFlows.exe Defender DisableEnhancedNotifications 1 : Disables non-critical notifications from Windows Defender.
    • netsh advfirewall firewall add rule name="allow RemoteDesktop" dir=in protocol=TCP localport=3389 action=allow : Creates a firewall rule that permits incoming TCP connections on port 3389, effectively enabling Remote Desktop access to the computer.
    • Set-MpPreference -DisableRealtimeMonitoring $true :Disables Microsoft Defender
  • Use of Windows drivers
    • rwdrv.sys: A legitimate driver for the ThrottleStop utility, abused by Akira affiliates to gain kernel-level access ****on compromised systems. It enables a Bring Your Own Vulnerable Driver (BYOVD) ****technique that likely facilitates AV/EDR evasion or disablement.
    • hlpdrv.sys: A malicious driver registered as a service, used to modify Windows Defender settings by altering the DisableAntiSpyware registry key via regedit.exe. It likely relies on elevated access granted by rwdrv.sys to execute successfully.
• Log Clearing
  • Batch files used to automate event log deletion.

Staging & Exfiltration

• Data Compression and Exfiltration:
  • Tools: WinRAR used for staging, fzsftp.exe (FileZilla SFTP) for exfiltration.
  • Example:
    • WinRAR.exe a -ep1 -scul -r0 -iext -imon1 -- . X:\\[Redacted]
    • fzsftp.exe -v :Uploads staged data to attacker-controlled servers.

Ransomware Deployment

• Data Destruction and Payload Execution
  • vssadmin.exe delete shadows /all /quiet : Deletes shadow copies to prevent recovery.
  • w.exe -p=\\\\[redacted]\\C$ -n=1 : Launches the Akira ransomware payload, encrypting targeted file systems.

This structured post-exploitation chain highlights the blend of automated tooling and hands-on-keyboard attacker interaction. Despite minor differences between individual incidents, the tactical core remains consistent, underscoring the sophistication and repeatability of this threat actor's operations.

Timeline

July 15, 2025 - Attackers wielding the Akira ransomware and possibly a zero-day exploit have been spotted targeting SonicWall firewalls

July 25, 2025 - Huntress have detected around 20 different attacks with variations observed in the tradecraft

August 4, 2025 - Sonicwall publishes a notice with recommended mitigation steps

IOCs

In early August, 2025, security vendors such as Huntress, GuidePoint Security and FieldEffect have shared the following IoCs:

IP Addresses (Attacker-Controlled)

- 42.252.99[.]59
- 45.86.208[.]240
- 77.247.126[.]239
- 104.238.205[.]105
- 104.238.220[.]216
- 181.215.182[.]64
- 193.163.194[.]7
- 193.239.236[.]149
- 194.33.45[.]155
- 162.213.194[.]186
- 107.158.128[.]106
- 66.165.243[.]39

Malware & Tooling

• w.exe – Ransomware executable

  SHA256: d080f553c9b1276317441894ec6861573fa64fb1fae46165a55302e782b1614d

• win.exe – Ransomware executable
• C:\\ProgramData\\winrar.exe – Data staging tool
• C:\\ProgramData\\OpenSSHa.msi – OpenSSH installer
• C:\\Program Files\\OpenSSH\\sshd.exe – SSH binary used for exfiltration
• C:\\programdata\\ssh\\cloudflared.exe – Cloudflare tunneling tool
• C:\\Program Files\\FileZilla FTP Client\\fzsftp.exe – Exfiltration tool
• C:\\ProgramData\\1.bat – Attacker script
• C:\\ProgramData\\2.bat – Attacker script
• Users\\**REDACTED**\\AppData\\Local\\Temp\\rwdrv.sys - a legitimate driver abused by Akira affiliates. SHA256: 16f83f056177c4ec24c7e99d01ca9d9d6713bd0497eeedb777a3ffefa99c97f0
• Users\\**REDACTED**\\AppData\\Local\\Temp\\hlpdrv.sys - a malicious driver. SHA256: bd1f381e5a3db22e88776b7873d4d2835e9a1ec620571d2b1da0c58f81c84a56

ASNs / CIDRs (Hosting Adversary Infrastructure)

Compromised or Created Accounts

• backupSQL – User created by attacker
• lockadmin – User created by attacker

Observed Passwords Used by Threat Actors

• Password123$
• Msnc?42da
• VRT83g$%ce

The recent exploitation of SonicWall Gen 7 SSLVPN appliances reflects a coordinated and multi-stage intrusion campaign likely designed to gain persistent access, stage data, and deploy ransomware. The threat actors have demonstrated familiarity with firewall configurations and leveraged both native Windows tools and third-party utilities (e.g., OpenSSH, FileZilla, Cloudflare) to evade detection and exfiltrate data.

Organizations relying on SonicWall appliances for remote access should treat this as an active threat and follow emergency mitigation guidance. Even if SSLVPN cannot be disabled, segmentation, MFA, and allow-listed IPs are essential. Future updates from SonicWall and other trusted vendors may further clarify the initial access vector and exploit chain. Until then, detection teams should treat this as a reminder that prompt patch application, rigorous password hygiene, and enforcement of MFA are critical to reducing the attack surface.

Centripetal’s Perspective

Centripetal’s CleanINTERNET® service provides a proactive, intelligence-driven defense against vulnerabilities such as the recently exploited SonicWall SSL VPN flaw, which has been actively used in the wild to gain unauthorized access, deploy malware, and enable data exfiltration. Leveraging billions of threat indicators, CleanINTERNET dynamically blocks malicious traffic using real-time global threat feeds and augmented human analysis, proactively protecting organizations from exploitation attempts involving known IoCs. This approach ensures reduced attack surface, enhanced security operations, and uninterrupted business continuity, enabling organizations to adopt a proactive and adaptive cybersecurity strategy against evolving threats.

UPDATES

October 13, 2025

As of October 10, Huntress has reported widespread compromise of SonicWall SSLVPN devices across multiple Huntress customer environments. Threat actors are authenticating rapidly into numerous accounts, indicating use of valid credentials rather than brute-force methods. The activity began around October 4, with clustered logins observed over the next two days. Huntress observed over 100 impacted SSLVPN accounts across 16 customer environments, with authentications traced to 202.155.8[.]73. In some cases, the actors disconnected shortly after logging in, while in others they conducted network scanning and local Window account access attempts, suggesting selective post-exploitation. (Huntress, 2025)

SonicWall has since issued a new advisory confirming unauthorized access to cloud-stored firewall configuration backups via its MySonicWall platform, exposing encrypted credentials and configuration data. Although the credentials remain encrypted, SonicWall warns that access to these files increases the risk of targeted follow-on attacks (SonicWall, 2025). This expands on SonicWall’s September disclosure, which had initially limited the impact to under 5% of devices. No direct link has been confirmed between this breach and the current SSLVPN compromises, but given their overlap in timing and credential use, correlation cannot be ruled out.

August 19, 2025

The previously unattributed exploitation of SonicWall SSL VPNs between August-October 2024 has been linked to Akira ransomware operations. SonicWall determined with high confidence that the intrusions resulted from password reuse combined with CVE-2024-40766 exploitation, rather than a zero-day vulnerability as initially suspected. The campaign affected devices with locally-stored credentials during Gen 6 to Gen 7 migrations where passwords weren't reset, with threat actors maintaining their characteristic rapid deployment timeline of 1.5-10 hours from initial access to ransomware execution. This attribution aligns with Akira's established pattern of targeting weak authentication controls and exploiting known vulnerabilities in VPN infrastructure. (SonicWall, 2025)

If you are a current client of Sonicwall please contact support@centripetal.ai.

Centripetal is also pleased to offer Penetration Testing and Vulnerability Assessment services to help organizations identify vulnerabilities and reduce risk. If interested, please contact our Professional Services team at profservs@centripetal.ai or reach out to your Centripetal Account Representative.

Resources

• Sonicwall - Gen 7 SonicWall Firewalls – SSLVPN Recent Threat Activity
• Huntress Threat Advisory - Active Exploitation of SonicWall VPNs
• Artic Wolf - Arctic Wolf Observes July 2025 Uptick in Akira Ransomware Activity Targeting SonicWall SSL VPN
• The Hacker News - SonicWall Investigating Potential SSL VPN Zero-Day After 20+ Targeted Attacks Reported
• Help Net Security - SonicWall firewalls targeted in ransomware attacks, possibly via zero-day
• GuidePoint Security - GRITREP: Observed Malicious Driver Use Associated with Akira SonicWall Campaign
• FieldEffect - Update: Akira ransomware group targets SonicWall VPN appliances
• Huntress - Huntress Threat Advisory: Widespread SonicWall SSLVPN Compromise
• SonicWall - MySonicWall Cloud Backup File Incident