Table of Contents
- Is Your Business at Risk? The Alarming Truth About Recent SonicWall Firewall Attacks.
- The Initial Scare: A Zero-Day Threat?
- The Real Culprit: An Old Flaw and Overlooked Steps
- A Separate Warning for Older Devices
- How to Protect Your Network Right Now
- Update Your Firmware
- Reset All Local User Passwords
- Strengthen Your Security Policies
- Enable Additional Protections
- Review and Clean Up
Is Your Business at Risk? The Alarming Truth About Recent SonicWall Firewall Attacks.
If you rely on a SonicWall firewall to protect your business, you need to be aware of a recent surge in cyberattacks. In July and August 2025, reports emerged of attackers successfully breaching company networks, leading to serious disruptions, including ransomware infections. Initially, the situation seemed dire, with many security experts fearing a powerful, unknown vulnerability was being used.
However, the real cause is something more familiar and, fortunately, something you can fix.
The Initial Scare: A Zero-Day Threat?
In late July 2025, security provider Arctic Wolf raised an alarm. They observed a significant increase in attacks using the Akira ransomware, with the criminals gaining entry through SonicWall SSL VPNs. An SSL VPN is a tool many businesses use to allow employees to connect to the company network securely from anywhere.
The attacks were concerning for several reasons:
- Speed: Attackers were able to encrypt a network with ransomware very quickly after gaining VPN access.
- Effectiveness: The breaches were happening even on firewalls that were fully patched and updated.
- MFA Bypass: In some cases, accounts were compromised even when protected by multi-factor authentication (MFA), a critical security layer.
Because even well-protected systems were being hit, security firms like Arctic Wolf and Huntress suspected a “zero-day” vulnerability was to blame. A zero-day is a brand-new flaw that the manufacturer doesn’t know about yet, making it incredibly difficult to defend against. As a precaution, these firms advised organizations to consider disabling their SonicWall SSL VPN service entirely until a patch could be released.
The Real Culprit: An Old Flaw and Overlooked Steps
After an investigation, SonicWall delivered crucial news: the attacks were not the result of a zero-day vulnerability. The true root cause was a combination of a previously known vulnerability, CVE-2024-40766, and a failure to follow security best practices during device upgrades.
The primary issue was linked to businesses migrating from older Generation 6 firewalls to the newer Generation 7 models. During this upgrade process, many administrators simply carried over their existing configurations, which included old local user passwords. SonicWall had already issued guidance for the CVE-2024-40766 vulnerability back in August 2024, and a key recommendation was to reset all local user passwords.
Hackers discovered that many organizations had skipped this vital step, leaving an open door for them to exploit. They were essentially using old keys to unlock new doors.
A Separate Warning for Older Devices
It’s also important to note a separate, though related, issue involving older, end-of-life SonicWall SMA 100 series appliances. A financially motivated hacking group known as UNC6148 was found targeting these devices with a custom backdoor called OVERSTEP. This malware allowed the attackers to maintain persistent access and steal credentials, even on patched systems, highlighting the risks of using outdated hardware.
How to Protect Your Network Right Now
The good news is that you can take specific, powerful steps to defend against the primary threat targeting Gen 7 firewalls. SonicWall has urged all customers to take immediate action to secure their networks.
Update Your Firmware
The most critical action is to update your firewall to SonicOS version 7.3 or newer. This version includes enhanced protections specifically designed to counter brute-force password and MFA attacks, making it much harder for criminals to get in.
Reset All Local User Passwords
This step is absolutely essential, especially if you migrated your settings from a Gen 6 device. You must reset the passwords for all local user accounts that have SSL VPN access.
Strengthen Your Security Policies
Do not rely on passwords alone. Enforce strong password requirements and ensure MFA is active for all users.
Enable Additional Protections
Use the built-in security features of your firewall. Turn on Botnet Protection and Geo-IP Filtering to block traffic from known malicious sources.
Review and Clean Up
Regularly review your firewall logs for any unusual activity or suspicious logins. You should also remove any inactive or unnecessary user accounts to limit potential points of entry.
While the initial news of these attacks was alarming, the solution is clear. This situation serves as a powerful reminder that cybersecurity is not just about defending against unknown threats; it’s also about diligently managing the known ones. By updating your systems and ensuring strong password hygiene, you can defeat these attacks and keep your network secure.