Security experts have warned of a possible zero-day vulnerability in SonicWall SSL VPNs after noting a surge in ransomware attacks targeting the devices for initial access.
Arctic Wolf claimed in a security notice on Friday that it had observed “multiple pre-ransomware intrusions” in late July “within a short period of time.”
“While credential access through brute force, dictionary attacks, and credential stuffing have not yet been definitively ruled out in all cases, available evidence points to the existence of a zero-day vulnerability,” it continued.
“In some instances, fully patched SonicWall devices were affected following credential rotation. Despite TOTP [time-based one-time password] MFA being enabled, accounts were still compromised in some instances.”
Read more on attacks on SonicWall devices: Palo Alto Networks and SonicWall Firewalls Under Attack
In all of the cases observed by the security vendor, threat actors achieved VPN access through SonicWall SSL VPNs. There then followed a short interval before ransomware encryption, said Arctic Wolf.
“In contrast with legitimate VPN logins which typically originate from networks operated by broadband internet service providers, ransomware groups often use Virtual Private Server hosting for VPN authentication in compromised environments,” it added.
Malicious VPN logins have been observed by the firm since October 2024, although the most recent uptick in activity began on July 15 2025, Arctic Wolf said.
It urged SonicWall SSL VPN customers to:
- Consider disabling the service until a patch is deployed (assuming the attacks stem from a zero-day vulnerability)
- Enable SonicWall log monitoring through the Arctic Wolf Managed Detection and Response service
- Enable security services such as botnet protection to help detect threat actors that target SSL VPN endpoints
- Enforce multi-factor authentication (MFA) for all remote access to reduce the risk of credential abuse
- Remove unused or inactive local firewall user accounts, particularly those with SSL VPN access
- Practice good password hygiene such as encouraging periodic password updates across all user accounts
- Review hosting-related ASNs (listed in the blog) and consider blocking their corresponding CIDR ranges for VPN authentication
Network edge devices like VPNs, firewalls and routers are a popular target for ransomware actors given that they’re connected to the public internet, but also provide access to sensitive corporate resources. Often such devices are not covered by endpoint detection and response (EDR), creating a security blind spot for network defenders.
Infosecurity has reached out to SonicWall for comment and is awaiting a response.
Image credit: Michael Vi / Shutterstock.com
