SonicWall VPN Attacks: Five Key Things To Know

Researchers are reporting active exploitation of a ‘likely’ zero-day vulnerability affecting SonicWall VPN devices.

Security researchers are reporting active exploitation of a “likely” zero-day vulnerability affecting SonicWall VPN devices.

A researcher from Arctic Wolf disclosed Friday that an increase in ransomware attacks impacting SonicWall SSL VPNs has been observed in recent weeks.

Then on Monday, researchers at Huntress said in a post that they have also been seeing attacks targeting SonicWall VPN devices.

CRN has reached out to SonicWall for comment.

What follows are five key things to know about the latest SonicWall VPN attacks.

‘Likely’ Zero-Day Vulnerability

Researchers from Arctic Wolf and Huntress have indicated that a zero-day vulnerability is the probable source of the exploitation activity observed targeting SonicWall SSL VPNs, although this has not been confirmed by SonicWall as of this writing.

“While credential access through brute force, dictionary attacks, and credential stuffing have not yet been definitively ruled out in all cases, available evidence points to the existence of a zero-day vulnerability,” wrote Julian Tuin, a senior threat intelligence researcher at Arctic Wolf Labs, in a post Friday.

Echoing the findings, Huntress researchers wrote Monday that “a likely zero-day vulnerability in SonicWall VPNs is being actively exploited to bypass MFA and deploy ransomware.”

“The speed and success of these attacks, even against environments with MFA enabled, strongly suggest a zero-day vulnerability is being exploited in the wild,” the researchers wrote in the post. “This is a critical, ongoing threat.”

Ransomware Deployment

Researchers from both vendors have highlighted that SonicWall VPNs are being actively exploited to deploy ransomware.

Arctic Wolf’s Tuin first identified that Akira ransomware, specifically, has been deployed through exploitation of the SonicWall devices.

Huntress researchers concurred, writing that “the final objective appears to be ransomware”—and that attacker activities have been observed that are intended “to prevent easy recovery right before deploying what we assess to be Akira ransomware.”

SMA Devices Potentially Impacted

Huntress researchers wrote Monday that SonicWall Secure Mobile Access (SMA) devices have been impacted in the attacks.

“Over the last few days, the Huntress Security Operations Center (SOC) has been responding to a wave of high-severity incidents originating from SonicWall Secure Mobile Access (SMA) and firewall appliances,” Huntress researchers wrote Monday. “This isn’t isolated; we’re seeing this alongside our peers at Arctic Wolf, Sophos, and other security firms.”

In a statement provided to CRN Monday, Arctic Wolf wrote that the “activity we’re observing so far has been limited to SonicOS devices such as the TZ, NSa product lines, not SMA. As far as we are aware, these vulnerabilities are separate.”

Timeframe For Attacks

According to Arctic Wolf, the “recent uptick in ransomware activity involving SonicWall SSL VPNs began as early as July 15, 2025.”

However, “similar malicious VPN logins have been observed to some extent since at least October 2024,” Tuin wrote.

It’s also not the first time that Arctic Wolf researchers have reported Akira ransomware being used to target SonicWall VPNs. In September, an Arctic Wolf researcher wrote that “Akira ransomware affiliates [had] carried out ransomware attacks with an initial access vector involving the compromise of SSLVPN user accounts.”

Recommendations

In the Arctic Wolf post, Tuin recommended that customers may want to disable SonicWall SSL VPN systems.

“Given the high likelihood of a zero-day vulnerability, organizations should consider disabling the SonicWall SSL VPN service until a patch is made available and deployed,” he wrote.

Likewise, “Huntress advises disabling the VPN service immediately or severely restricting access via IP allow-listing,” researchers wrote in the Huntress post. “We’re seeing threat actors pivot directly to domain controllers within hours of the initial breach.”