SonicWall’s VPNs May Have a Nasty Zero-Day – Akira Ransomware Gate-crashes the Party
SonicWall is probing a potential zero-day flaw in its Gen 7 SSL VPN firewalls after security firms Arctic Wolf and Huntress logged more than 20 Akira-ransomware break-ins since late July 2025. Victims were fully patched and even with MFA attackers still slipped through, hinting at an undisclosed vulnerability in firmware 7.2.0-7015 and earlier. SonicWall urges customers to disable or restrict SSL VPN access, enforce MFA, cull dormant accounts, and enable botnet and Geo-IP filtering while the investigation continues. The attacks escalate quickly: once the firewall is compromised, intruders pivot to domain controllers, kill Defender, wipe shadow copies and unleash Akira within hours. Affected models appear limited to TZ and NSa series running Gen 7 code.
Network-security giant SonicWall is scrambling to find out whether its Gen 7 SSL VPN firewalls have sprung a brand-new leak. Researchers from Arctic Wolf and Huntress spotted more than twenty break-ins since 25 July, all pointing at the Akira ransomware gang.
What’s gone wrong?
Despite being up-to-date and guarded by MFA, several TZ and NSa appliances were breached. Attackers marched straight from the firewall to the domain controller, switched off Microsoft Defender, deleted shadow copies and pulled the Akira trigger—all in the time it takes to grab a coffee.
SonicWall’s emergency advice
• Switch off SSL VPN unless you absolutely need it.
• If you must keep it, whitelist trusted IP addresses only.
• Turn on botnet protection and Geo-IP filtering.
• Purge any dusty old accounts and ask users to change their passwords (yes, again).
Why it matters
The speed and success of the raids strongly suggest a zero-day exploit rather than recycled creds. SonicWall is investigating; meanwhile, defenders should lock the doors and double-bolt them.