UPDATE 7th August 11am - SonicWall SSLVPN Vulnerability on Gen 7 Devices
UPDATE - Thursday 7th August 2025 11am:
SonicWall are confident the issue is NOT connected to a zero-day vulnerability.
There is a significant correlation with threat activity related to CVE-2024-40766, previously disclosed, in advisory SNWLID-2024-0015.
SonicWall are investigating fewer than 40 related incidents which seem to relate to migrations from Gen 6 to Gen 7 firewalls, where local user passwords were carried over and not reset (this is for installations where users are configured locally on the firewall rather than using LDAP/Radius etc ...). Resetting passwords was a critical step outlined in the original advisory.
SonicOS 7.3 has additional protection against brute-force password and MFA attacks. Without these protections, password and MFA brute force attacks are more feasible.
SonicWall has issued the following updated guidance for all customers, particularly those who have imported configurations from Gen 6 to newer firewalls. We urge you to take the following immediate actions:
1. Update firmware to version 7.3.0. Firmware update guide - Firmware update guide
2. Reset all local user passwords for any accounts with SSLVPN access.
3. Continue applying recommended best practices:
Enable Botnet Protection and Geo-IP Filtering
Remove unused or inactive user accounts
Enforce MFA and strong password policies
We will keep you updated as the situation evolves. As previously mentioned, all the latest updates are available in full on SonicWall's KB article HERE. This article will be continually updated.
Tuesday 5th August 2025 4pm:
SonicWall have reported an increased number of cyber security incidents involving Generation 7 SonicWall firewalls running various firmware versions with SSLVPN enabled.
These issues have been identified both internally and via leading threat research teams including Arctic Wolf, Google Mandiant and Huntress.
We are awaiting further instructions on how customers should respond and will update via email and on the SonicWall Online website as soon as possible.
SonicWall is investigating these incidents urgently. As a precaution we urge all Gen 7 firewall users to take the following steps immediately:
1. Disable SSLVPN Services where practical.
This is the most effective way to protect your network. We strongly advise you to disable SSL VPN access on your SonicWall appliances until an official patch and guidance are released.
For instructions on how to disable SSLVPN visit: https://sonicwallonline.co.uk/securing-sonicwall-sslvpn
If SSLVPN remains enabled apply the following controls:
2. If you can’t disable it, lock it down. If the VPN is business-critical, immediately restrict access to a minimal allow-list of known, trusted IP addresses. Segment the network to prevent a breach of the appliance from immediately providing access to critical servers like domain controllers.
For instructions on how to lock down SSLVPN visit: https://sonicwallonline.co.uk/securing-sonicwall-sslvpn
3. Remove unused or inactive firewall user accounts, particularly those with remote access permissions.
4. Ensure Security Services (e.g., Botnet Protection, Geo-IP Filtering) are turned on and actively protecting the firewall
5. Audit your service accounts. SonicWall and LDAP do not need to be a Domain Admin. Ensure service accounts follow the principle of least privilege
6. Hunt for malicious activity. Huntress have published Indicators of Compromise for the exploit which can be viewed here: https://www.huntress.com/blog/exploitation-of-sonicwall-vpn
There is a knowledge base article with the latest information CLICK HERE to track updates on this issue. This article will be continually updated and is currently our only source of information on the subject.
If a new vulnerability is confirmed, SonicWall will move swiftly to release updated firmware and supporting guidance.