SonicWall Zero-Day: What You Need to Know and How WatchPoint is Protecting Clients

On August 4, 2025, SonicWall issued a critical security advisory regarding active exploitation attempts against its Gen-7 firewalls' SSL-VPN services. Threat actors are leveraging a possible zero-day vulnerability to bypass authentication and deliver ransomware payloads, even on fully patched systems.

SonicWall Advisory: Gen-7 SonicWall Firewalls SSLVPN Recent Threat Activity

This vulnerability is being actively exploited by ransomware operators, including the notorious Akira ransomware group, as detailed by Huntress Labs and covered by TechCrunch. Attackers are targeting SonicWall’s SSL-VPN features to gain initial access, bypass Multi-Factor Authentication (MFA), and move laterally within networks—impacting businesses of all sizes, including small and mid-sized organizations.

What WatchPoint Has Done Immediately

In response, WatchPoint has proactively disabled VPN access on all SonicWall appliances to prevent potential exploitation. We audited configurations across all client networks to ensure:

No exposed SSL-VPN services are accessible from the open internet.
Geo-IP and botnet filters are in place to restrict unauthorized access attempts.
Legacy or unused user accounts are disabled to reduce attack surfaces.
Continuous monitoring is enforced through WatchPoint’s 24/7 Security Operations Center (SOC).

Are You at Risk? Here's How to Know

If your organization:

Uses SonicWall Gen-7 firewalls (TZ, NSa series),
Has SSL-VPN services enabled

You are vulnerable to this exploitation chain—even if MFA is enabled.

➡️ Contact WatchPoint immediately to schedule a Zero-Day Vulnerability Assessment. We will help you verify exposure, implement immediate containment, and advise on secure remote access alternatives.

Recommended Actions for All SonicWall Users

Even if you're not a WatchPoint client, we strongly recommend the following actions:

1. Disable SSL-VPN Services Temporarily

Until SonicWall releases definitive mitigation guidance or patches, disable SSL-VPN wherever possible.

2. Restrict VPN Access by IP Address

If VPN access must remain enabled, configure allow-lists to restrict access to known, trusted IP addresses only.

3. Audit All User Accounts

Remove inactive accounts, enforce strong password policies, and ensure MFA is enabled (preferably TOTP or hardware-based).

NOTE: Some reports suggest even with MFA enforced the activity under investigation bypasses MFA

4. Enable SonicWall Security Services

Ensure Botnet Protection, Intrusion Prevention, and Geo-IP filtering are active and properly configured.

5. Increase Log Monitoring and Alerts

Pay close attention to VPN login attempts, especially from anomalous IP addresses (cloud-hosted servers, foreign IPs, etc.).

6. Consult with a Security Partner Engage a trusted MSP like WatchPoint for ongoing monitoring, incident response readiness, and compliance-driven risk management.

Why This Matters for SMBs

Ransomware actors increasingly target professional services, healthcare, financial institutions, and other SMBs in regulated sectors. A successful exploit could lead to:

Data breaches triggering GLBA, HIPAA, or state-level notification requirements,
Extended operational downtime,
Severe reputational damage.

📞 Need Help? We're Standing By 319-535-5350

If you’re unsure whether your SonicWall deployment is at risk or need immediate help with containment and remediation contact WatchPoint today.

We provide rapid assessments, mitigation support, and co-managed IT security services designed to protect small and mid-sized businesses from evolving cyber threats.

References: