The Sonicwall cybersecurity platform company has identified the origins of a wave of cyberattacks targeting its Gen 7 firewalls with activated SSLVPN. As of August 12, the company said that it had worked with research teams on external threats and published firmware updates.
Arctic Wolf’s security teams, Google Mandiant and Huntress documented the suspicious activity, which was detected for the first time or towards July 15.
Sonicwall recommends updating SSLVPN
In early August, Sonicwall recommended that customers using Gen 7 Sonicwall firewalls with SSLVPN to deactivate VPNs and take other precautions. Regarding August 12, the firmware update version 7.3.0 adds improved protections against brute force attacks and additional MFA controls to solve the problem. Sonicwall now recommends that generation 7 users and new firewalls with SSLVPN to take the following steps::
- Install the firmware version 7.3.0.
- Reset all the passwords from the local user account.
- Activate safety features such as Botnet protection and GEO-IP filtering.
- Implement multi-factory authentication.
- Delete unused or inactive user accounts.
Some of the intrusions have circumvented the MFA, Hunter Noted on August 8. The threat actors used LDAP or service account that is too privileged to obtain administrative control. From there, they could move laterally into the network, deactivate safety tools and deploy ransomware.
Huntress began to follow the attacks on July 25 and continues to monitor the activity.
As of August 12, Sonicwall had identified attacks as causing less than 40 security incidents. In many cases, the accounts allocated were migrated from generation 6 to Gen 7 firewalls, and the passwords of local users were not reset during this process.
Sonicwall identified attacks as linked to the CVE-2024-40766, a vulnerability of inappropriate access control identified for the first time in August 2024.
Elevation of Akira ransomware linked to VPN exploitation
Arctic Wolf Labs reported a significant increase in the activity of Akira ransomware in July 2025, with Sonicwall SSLVPN among the targeted infrastructure. Although no direct link with a single vulnerability has been confirmed, Akira is known to exploit VPNs in targeted campaigns.
Akira, detected for the first time in March 2023, has since claimed the responsibility of attacks on the University of Stanford, Nissan and other high -level objectives. Arctic Wolf Labs recommends blocking VPN activity from specific accommodation related to accommodation Numbers of autonomous systems (ASNS) to reduce exposure.
Attack detected in July left vulnerable sound devices
In a separate incident disclosed by Google Threat Intelligence Group And mandiant, a different threat actor – followed under the name of UNC6148 – has targeted the devices of the Secure Mobile Access (SMA) series 100. The attacker charged a persistent stolen door rootkit on the aid of a technique called Over -Stop, allowing them to win a privileged control.
This story was initially published on August 6 and update with new Sonicwall information on August 12.
For more news from cybersecurity, consult our cover of the route of researcher Mikko Hypponen’s Black Hat Conference The history of malicious software.
