1. News
  2. Gen 7 SonicWall Firewall Users: Disable SSLVPN Services Now

Gen 7 SonicWall Firewall Users: Disable SSLVPN Services Now

Following ongoing ransomware attacks against SonicWall Gen 7 firewalls, SonicWall urges users to disable SSLVPN services. External cybersecurity researchers say a zero-day vulnerability is likely.

Jackie LeavittAleksander Hougen

Written by Jackie Leavitt (Editor at Large)

Reviewed by Aleksander Hougen (Co-Chief Editor)

Last Updated:

sonicwall featured image

Last week, cybersecurity researchers from Arctic Wolf, Huntress and Google Mandiant warned of increased internal and external cyber incidents with Gen 7 SonicWall firewalls with SSLVPN enabled.

SonicWall post about SSLVPN threat activity on Gen 7 firewalls.
This week SonicWall posted about its ongoing ransomware attacks against Gen 7 firewalls using SSLVPN.

Although SonicWall does not yet admit that it’s a zero-day vulnerability, those researches indicate that it is likely.

“While credential access through brute force, dictionary attacks, and credential stuffing have not yet been definitively ruled out in all cases, available evidence points to the existence of a zero-day vulnerability,” wrote Arctic Wolf senior threat intelligence researcher Julian Tuin.

Arctic Wolf noted increased attacks impacting SonicWall SSL VPNs on Friday, Aug. 1, with Huntress researchers posting on Aug. 4 confirming targeted attacks.

“A likely zero-day vulnerability in SonicWall VPNs is being actively exploited to bypass MFA and deploy ransomware,” states a more recent Huntress post. “We’re seeing threat actors pivot directly to domain controllers within hours of the initial breach.”

The timeline for this most recent ransomware activity involving SonicWall SSL VPNs began as early as mid-July, according to Arctic Wolf, though similar attacks have been observed since at least October 2024.

If you’re a Gen 7 SonicWall Firewall user, here is the company’s recommended next steps:

  1. Disable SSLVPN service, if possible; and follow the subsequent steps whether disabling is possible or not.
  2. Limit SSLVPN connectivity to trusted source IPs.
  3. Enable security services, such as Botnet Protection and Geo-IP Filtering to detect and block threat actors from targeting SSLVPN endpoints.
  4. Enforce multi-factor authentication for all remote access to reduce risk of credential abuse.
  5. Delete any inactive or unused local user accounts on the firewall, especially with SSLVPN access.
  6. Change passwords and enforce regular updates across user accounts.

Almost a third of ransomware victims say the most common reason for attacks is an exploited vulnerability. Businesses should prepare for the unexpected by learning more about ransomware and enforcing best practices to prevent ransomware attacks.

↑ Top