SonicWall advises users of its latest firewalls to disable VPN. A wave of ransomware attacks may be connected to a vulnerability in the solution.
Security specialist SonicWall warns customers about using the VPN functionality in its seventh-generation firewalls. In recent days, there has been a sharp increase in the number of cyber incidents involving these devices. SonicWall is not the only one noticing this increase; the heightened activity is also observed by external parties such as Google Mandiant, Huntress Labs, and Arctic Wolf.
Suspected Zero-Day Bug
Specifically, users of SonicWall’s seventh-generation firewalls are suddenly falling victim to ransomware attacks when they have the SSLVPN functionality enabled.
It is currently unclear if and how hackers are exploiting the VPN in the firewalls. SonicWall considers a zero-day bug as a possibility, but there is no information on this at the moment. Both Arctic Wolf and Huntress Labs suggest that an undiscovered zero-day is the prime suspect for the entire situation. In the absence of a known bug, there is currently no available patch.
Disable
SonicWall consequently asks customers to disable that functionality. If it is not possible to disable the SSLVPN, customers can take mitigating measures to reduce the risk.
SonicWall suggests allowing only known IP addresses, enabling Bbtnet protection and geo-IP filtering, and of course, activating MFA. Somewhat concerningly, the company immediately mentions that there are indications that MFA is not sufficient to prevent a successful attack.
Not the first time
This is not the first time SonicWall’s firewalls have come under fire. Just last month, Google security researchers discovered a backdoor in the SonicWall SMA 100 series. In February, attackers actively exploited a previously discovered bug in SonicOS. At the end of 2024, it became known that more than 25,000 publicly accessible SonicWall SSLVPN devices were vulnerable to exploitation, although the responsibility for this lay with the users’ update policy.
In most cases, a good update policy can prevent exploitation. This time is different. It is unusual for a trend of exploitation to be visible, but the vector remains unclear. Those with a SonicWall seventh-generation firewall should take mitigating measures and be prepared for a patch.