The Gen 7 SonicWall Firewall Crisis: Zero-Day

Executive Summary

A critical security crisis is unfolding for organizations using Gen 7 SonicWall firewalls with SSL VPN enabled. Since mid-July 2025, attackers have exploited a suspected zero-day vulnerability (or a dangerously misunderstood known flaw) to bypass multi-factor authentication (MFA), compromise networks in under two hours, and deploy Akira ransomware. With over 28 confirmed breaches and counting, this threat combines unprecedented speed, evasion sophistication, and ruthless financial motivation.

🔥The Heat of the Controversy: Zero-Day vs. SonicWall’s Stance

SonicWall insists the attacks stem from CVE-2024-40766—a patched improper access control flaw documented in advisory SNWLID-2024-0015. The vendor attributes compromises to customers who migrated from Gen 6 to Gen 7 firewalls without resetting local user passwords.

However, third-party researchers disagree:

Huntress, Arctic Wolf, and Mandiant observed attacks bypassing MFA on fully patched devices even after credential rotation — a hallmark of zero-day exploitation.
40% of incidents traced to password migration failures during Gen 6 → Gen 7 upgrades.
Firmware versions 7.2.0-7015 and earlier are confirmed vulnerable in TZ/NSa-series firewalls.

Why the disconnect? Researchers note attackers achieved impossible MFA bypasses and compromised credentials after resets—indicative of a deeper, unpatched flaw.

⏰ Attack Timeline: Speed, Scale, and Evolution

July 15, 2025: Arctic Wolf detects an uptick in Akira ransomware targeting SonicWall SSL VPNs.
July 23–25: Sophos logs 10 incidents; Huntress observes 20+ attacks deploying backdoors (Cloudflare tunnels/OpenSSH).
August 4: SonicWall confirms a “notable increase” in incidents, urging SSLVPN disablement.
August 6: Confirmed breaches rise to 28+; SonicWall releases firmware 7.3.0 with brute-force protections.

⚠️ Inside the Kill Chain: How Attackers Hijack Networks

Initial Access: Breach SSLVPN (bypassing MFA via zero-day or credential reuse).
Privilege Escalation: Abuse over-permissioned SonicWall service accounts (e.g., sonicwall, LDAPAdmin) to gain domain admin rights.
Lateral Movement & Persistence:
- Deploy tools like Advanced IP Scanner, NetExec, or PowerShell Remoting.
- Harvest credentials from Veeam backups or NTDS.dit files.
- Install persistent backdoors (AnyDesk, ScreenConnect, OpenSSH).
Evasion: Disable Microsoft Defender via Set-MpPreference and delete shadow copies with vssadmin.
Ransomware Deployment: Execute Akira payloads (w.exe -p=\\[target]\C$).

Objective	Tools Observed
Reconnaissance	Advanced IP Scanner, `nltest`, `ping`
Credential Theft	WinRAR, FileZilla, `wbadmin.exe`
Persistence	AnyDesk, OpenSSH, RMM tools
Defense Evasion	`netsh`, `Set-MpPreference`, `vssadmin`
Data Exfiltration	Custom BAT scripts, FTP clients

Table: Attacker Tools by Phase

🛡️ Mitigation Strategies: Vendor vs. Researcher Recommendations

SonicWall’s Official Guidance

Upgrade firmware to SonicOS 7.3.0+ for anti-brute-force enhancements.
Reset all local user passwords—especially those migrated from Gen 6 devices.
Enable Botnet/Geo-IP filtering and enforce MFA.

Researcher-Urged Actions

Disable SSLVPN immediately—only allow VPN access via IP allow-listing.
Segment networks to isolate firewalls from domain controllers.
Audit service accounts: Strip domain admin rights from SonicWall-related accounts.
Block VPN logins from high-risk ASNs and other IOCs

Indicators of Compromise (IOCs)

ITEM	DESCRIPTION
142.252.99[.]59	Attacker IP
45.86.208[.]240	Attacker IP
77.247.126[.]239	Attacker IP
104.238.205[.]105	Attacker IP
104.238.220[.]216	Attacker IP
181.215.182[.]64	Attacker IP
193.163.194[.]7	Attacker IP
193.239.236[.]149	Attacker IP
194.33.45[.]155	Attacker IP
w.exe sha256: d080f553c9b1276317441894ec6861573fa64fb1fae46165a55302e782b1614d	Ransomware executable
win.exe	Ransomware executable
C:\ProgramData\winrar.exe	Data staging tooling.
C:\ProgramData\OpenSSHa.msi	OpenSSH installer
C:\Program Files\OpenSSH\sshd.exe	SSH executable for exfiltration
C:\programdata\ssh\cloudflared.exe	Cloudfare executable
C:\Program Files\FileZilla FTP Client\fzsftp.exe	Data exfiltration tooling.
C:\ProgramData\1.bat	Unknown attacker script
C:\ProgramData\2.bat	Unknown attacker script
backupSQL	User created by attacker
lockadmin	User created by attacker
Password123$	Password used by attacker
Msnc?42da	Password used by attacker
VRT83g$%ce	Password used by attacker
AS23470	ASN Number (ReliableSite.Net LLC)
AS215540	ASN Number (Global Connectivity Solutions LLP)
AS64236	ASN Number (UnReal Servers, LLC)
AS14315	ASN Number (1GSERVERS, LLC)
AS62240	ASN Number (Clouvider Limited)

Table of IOCs

Mitigation Comparison

Action	SonicWall	Researchers	Rationale
Disable SSLVPN	Conditional	Urgent	Only guaranteed way to block attacks
Firmware 7.3.0 upgrade	Mandatory	Recommended	Adds brute-force protections
Segment firewall/DC	Not specified	Critical	Limits lateral movement

Table: Critical Mitigation Comparison

📉 SonicWall’s Recurring Security Crisis: A Pattern of Risk

This incident fits a dangerous trend:

14 SonicWall flaws listed in CISA’s Known Exploited Vulnerabilities catalog since 2021.
SMA 100 series devices exploited in July 2025 for Abyss ransomware via rootkits.
Akira’s history of targeting SonicWall (e.g., 2023’s Gen 5/6 RCE attacks) shows persistent weaponization.

Why target firewalls? Compromising edge devices grants attackers “keys to the kingdom”—deep network access with minimal scrutiny.

💎 Conclusion: Assume Compromise and Act Aggressively

While SonicWall investigates, organizations must treat this as a critical ongoing threat. The 2-hour window from VPN breach to ransomware demands:

Disable SSLVPN where possible; restrict it via IP allow-listing if essential.
Upgrade to SonicOS 7.3.0 and reset all local passwords.
Hunt for IOCs like attacker IPs, scripts etc.
Audit service accounts—no SonicWall-related account should have domain admin rights.

Steganography: Hidden Payload