On August 4, 2025, SonicWall issued a critical security advisory regarding active exploitation attempts against its Gen-7 firewalls' SSL-VPN services. Threat actors are leveraging a possible zero-day vulnerability to bypass authentication and deliver ransomware payloads, even on fully patched systems.
SonicWall Advisory: Gen-7 SonicWall Firewalls SSLVPN Recent Threat Activity
This vulnerability is being actively exploited by ransomware operators, including the notorious Akira ransomware group, as detailed by Huntress Labs and covered by TechCrunch. Attackers are targeting SonicWall’s SSL-VPN features to gain initial access, bypass Multi-Factor Authentication (MFA), and move laterally within networks—impacting businesses of all sizes, including small and mid-sized organizations.
What WatchPoint Has Done Immediately
In response, WatchPoint has proactively disabled VPN access on all SonicWall appliances to prevent potential exploitation. We audited configurations across all client networks to ensure:
Are You at Risk? Here's How to Know
If your organization:
You are vulnerable to this exploitation chain—even if MFA is enabled.
➡️ Contact WatchPoint immediately to schedule a Zero-Day Vulnerability Assessment. We will help you verify exposure, implement immediate containment, and advise on secure remote access alternatives.
Recommended Actions for All SonicWall Users
Even if you're not a WatchPoint client, we strongly recommend the following actions:
1. Disable SSL-VPN Services Temporarily
2. Restrict VPN Access by IP Address
3. Audit All User Accounts
NOTE: Some reports suggest even with MFA enforced the activity under investigation bypasses MFA
4. Enable SonicWall Security Services
5. Increase Log Monitoring and Alerts
6. Consult with a Security Partner Engage a trusted MSP like WatchPoint for ongoing monitoring, incident response readiness, and compliance-driven risk management.
Why This Matters for SMBs
Ransomware actors increasingly target professional services, healthcare, financial institutions, and other SMBs in regulated sectors. A successful exploit could lead to:
📞 Need Help? We're Standing By 319-535-5350
If you’re unsure whether your SonicWall deployment is at risk or need immediate help with containment and remediation contact WatchPoint today.
We provide rapid assessments, mitigation support, and co-managed IT security services designed to protect small and mid-sized businesses from evolving cyber threats.
References:
In today’s threat landscape, law firms can’t afford to overlook endpoint security basics, and one of the most overlooked vulnerabilities is local administrator access. While it may seem like a small technical detail, allowing staff to operate with elevated privileges is one of the biggest security risks a firm can take.
Let’s break down why removing local admin rights isn’t just an IT best practice, it’s a critical move to protect your clients, reputation, and compliance posture.
Local administrator rights give a user unrestricted control over their workstation: installing software, changing security settings and modifying system files. It’s essentially handing over the keys to the kingdom.
In a law firm, where attorneys and staff routinely access highly confidential client data, this level of access presents a clear and present danger.
These breaches underscore a simple truth: when everyone is an admin, no one is secure.
✅ Reduces Attack Surface
✅ Prevents Unauthorized Software
✅ Improves Patch and Software Management
✅ Strengthens Compliance with ABA Standards
✅ Enhances Endpoint Monitoring and Control
Giving users local admin rights is like leaving the keys hanging in your front door and assuming no one will try to open it.
For law firms, the stakes are too high. Reputation, compliance, and client trust all hang in the balance. Removing local admin rights is one of the easiest, most effective ways to protect your business and keep growth on track.
A cyberattack on Microsoft SharePoint Server just made headlines. It is a textbook example of how quickly a zero-day vulnerability can spiral into a full-blown crisis.
On July 18, 2025, cybersecurity researchers disclosed a critical zero-day vulnerability (CVE‑2025‑53770) in Microsoft SharePoint Server. The flaw allowed unauthenticated remote code execution, meaning attackers didn’t need credentials to exploit vulnerable systems.
Over 75 confirmed breaches have been linked to the flaw, targeting state agencies, federal contractors, telecoms, energy providers, and universities. Tens of thousands of systems remained exposed days after disclosure.
Key detail: Stolen cryptographic keys can allow attackers to retain access even after systems are patched.
Even patched servers may remain compromised if keys aren't rotated and thorough forensics aren't performed.
1. Patching isn't enough.
Zero-day exploits often leave behind persistence mechanisms. Assume breach and act accordingly.
2. Credential hygiene is critical.
Once crypto keys are stolen, attackers can spoof access even after patching. Rotate all credentials immediately. Think of it like having your house keys stolen. Once the thief has them, they can get back in. You have to change the locks.
3. Asset visibility matters.
Thousands of organizations didn’t realize their servers were exposed until it was too late. Know your environment.
At WatchPoint, we were able to check all managed servers within a matter of minutes to ensure none were vulnerable.
4. Legacy systems are a liability.
Unpatched older versions (like SharePoint 2016) create attack surface area that sometimes can't be mitigated fast enough.
5. Plan for resilience, not just prevention.
Detection, containment, and incident response are a must!
Would you ever hang a bright neon sign outside your business reading, "Hey burglars, doors unlocked, come on in!"? Of course not. Yet astonishingly, many businesses do just that digitally, leaving their firewall ports wide open and welcoming cybercriminals with open arms. Recently, even the FBI stepped in to issue a stern (and somewhat embarrassing) Open Port Warning about the dangers of leaving these digital doors unlocked. And while cybersecurity is serious business, sometimes the simplicity of the problem borders on comedy, until it’s not funny at all.
In the recent cybersecurity advisory (Alert Code: AA25-050A), the FBI and CISA (Cybersecurity and Infrastructure Security Agency) issues a joint advisory sounding the alarm about cybercriminals actively targeting networks through open firewall ports. Think of it like leaving your office windows wide open overnight, one forgotten latch and intruders can waltz right in. The FBI is urging businesses to close these vulnerabilities immediately, before your open ports become a hacker's personal playground filled with data breaches, ransomware, and other digital nightmares.
Let's be honest: leaving your ports open is like tossing your car keys into the front seat and walking away. Sure, your car might be there in the morning, but the odds aren't exactly in your favor. The puzzling thing? Checking for open ports is straightforward, yet countless businesses overlook it, creating massive and entirely unnecessary risks. The potential cost isn't just financial; imagine explaining to your clients that your "secure" network was basically a revolving door for hackers. Ouch.
Like many other cyber security topics, business leaders choose to ignore them even with plenty of coverage on the subject. Here are just a few of the articles written about this particular warning.
Forbes: "FBI Says Backup Now—Advisory Warns Of Dangerous Ongoing Attacks"
This article highlights the FBI's warning about the ongoing and dangerous nature of Ghost ransomware attacks, emphasizing the importance of immediate data backups.
WaterISAC: "(TLP:CLEAR) CISA, FBI, and MS-ISAC Release Advisory on Ghost (Cring) Ransomware"
This piece provides an overview of the joint advisory, detailing the indicators of compromise (IOCs), tactics, techniques, and procedures (TTPs) associated with Ghost ransomware.
Security Boulevard: "[CISA AA25-050A] #StopRansomware: Ghost (Cring) Ransomware"
This article discusses the CISA advisory on Ghost ransomware and introduces an attack graph released by AttackIQ to help organizations validate their security controls against this threat.
SafeBreach: "SafeBreach Coverage for US CERT AA25-050A [Ghost (Cring) Ransomware]"
This blog post outlines how SafeBreach has added coverage against attacks by Ghost threat actors targeting organizations across more than 70 countries.
NeptuneWorx: "Summary: Understanding CISA's Cybersecurity Advisory AA25-050A"
This summary provides insights into the CISA advisory, emphasizing the importance of proactive cybersecurity measures and understanding the threat landscape.
We don’t have the hard statistics yet for 2025, but over the past several weeks at WatchPoint we have been getting more requests than usual for help with ransomware attacks. These were non-WatchPoint clients of course and generally referrals from existing clients, but of the last three, two were caused by open ports. There was a dip in ransomware attacks that coincided with the start of the war in Ukraine, but now we appear to be back in the throughs of a full-on assault from cyber attackers.
Here’s the good news—checking your ports isn't complicated or time-consuming. In fact, it's as quick and painless as checking your smartphone’s battery. With a few clicks, we can run a port scan and immediately see if you are unintentionally offering hackers a warm welcome to your network. Given how simple this task is, there’s really no excuse not to do it unless you enjoy making life easy for cybercriminals.
At WatchPoint IT, our mission is to make cybersecurity feel less like rocket science and more like routine maintenance—easy, stress-free, and efficient. Our free port scanning service quickly identifies which of your digital doors are wide open. Additionally, we won’t leave you hanging. We provide continuous monitoring and alerts to immediately flag any new vulnerabilities, keeping your digital assets safe 24/7.
Here's What You'll Receive from Our Free Scan:
Cybersecurity can seem daunting, packed with acronyms, jargon, and endless threats. But when it comes to securing your network, think of it as simply locking your front door. With the FBI’s urgent warning fresh in our minds, there’s no better time than now to act.
Don’t wait until you’re already compromised. Connect with WatchPoint IT today, run your free port scan, and let’s lock those digital doors tighter than Fort Knox. Because in cybersecurity, being proactive isn't just smart, it's essential.
Stay smart, stay secure!
Ready to lock things down? Visit WatchPoint IT today and let us know you would like a free port scan. Your future self will thank you.
