Published: Tue 05 August 2025
Prepared by: Adam Skupien, Vulnerability Security Analyst
Purpose
This bulletin addresses the recent surge in ransomware activity targeting SonicWall SSL VPN devices for initial access. The team at Arctic Wolf has observed multiple instances of intrusions involving VPN access through SonicWall SSL VPNs which were closely followed by deployment of Akira ransomware within the network. A patch to mitigate this vulnerability has not been released by SonicWall at this time.
Vulnerability details
On 1 August 2025, Arctic Wolf published a blog covering their discovery of an uptick in threat-actor activity targeting SonicWall firewall devices. This activity led to initial access, shortly followed by ransomware being deployed within the network. It was noted that the ransomware activity started as early as 15 July 2025.
On 4 August 2025 SonicWall released an advisory confirming that there has been a notable increase in both internally and externally reported cyber incidents involving Gen 7 SonicWall firewalls where SSL VPN is enabled.
No specific vulnerabilities have been associated with this activity at this time, however, instances of fully patched SonicWall devices with rotated credentials were also seen affected suggesting the existence of a zero-day vulnerability. Accounts with TOTP MFA enabled were also seen compromised in some instances.
Impact
Successful exploitation appears to provide remote unauthenticated threat actors with high level access to the SonicWall devices, allowing them to pivot to the internal network to deploy the ransomware.
Mitigation actions
Organisations should disable their SonicWall SSL VPN service until a patch is made available as this appears to be the initial access vector.
Triskele Labs recommends that Endpoint Detection and Response (EDR) should be universally deployed across the environment and correctly configured, including on the VPN server.
SonicWall SSL VPN servers should be configured and hardened according to SonicWall best practices guidelines.
IP addresses accessing the VPN should be restricted to a list of whitelisted addresses if possible, and geo-restricted to reduce attack surface.
Unused and inactive accounts should be deleted on the device.
Arctic Wolf have provided a list of Autonomous System Numbers (ASN) associated with the observed threat-actor campaign which could be restricted from accessing the VPN through their CIDR ranges, to reduce overall exposure:
| ASN |
Organisation Name |
| AS23470 |
ReliableSite.Net LLC |
| AS215540 |
Global Connectivity Solutions LLP |
| AS64236 |
UnReal Servers, LLC |
| AS14315 |
1GSERVERS, LLC |
| AS62240 |
Clouvider Limited |
It should be noted however, that the networks above are not inherently malicious and that blocking traffic from these entirely without limiting to VPN authentication could disrupt routine operations.
Detection capabilities
Logs should be reviewed for suspicious authentication attempts on the VPN, and signs of lateral movement investigated. Privileged account activity should be monitored closely.
Suspicious data transfer activity should be investigated for signs of exfiltration.
Triskele Labs customers leveraging our Monitor (24×7 SIEM) or MDR services are being proactively assessed and monitored for IoC and signs of lateral movement.
References
https://arcticwolf.com/resources/blog/arctic-wolf-observes-july-2025-uptick-in-akira-ransomware-activity-targeting-sonicwall-ssl-vpn/
https://www.sonicwall.com/support/notices/gen-7-sonicwall-firewalls-sslvpn-recent-threat-activity/250804095336430
