Blog

Urgent Advisory: SonicWall Customers Must Disable SSL‑VPN Amid Ransomware Surge

sonicwall

Enterprise security provider SonicWall has issued an urgent advisory urging users of its Gen 7 firewall devices to disable SSL‑VPN services immediately, following a sharp rise in Akira ransomware attacks targeting these appliances.

What’s Happening

In the past 72 hours, SonicWall has observed a “notable increase” in security incidents involving Gen 7 devices with SSL‑VPN enabled. While SonicWall investigates whether the root cause is a known issue or a zero‑day vulnerability, third-party researchers strongly suspect the latter.

Why This Is Critical

The attack vector begins with SSL‑VPN providing initial access, then attackers rapidly escalate to domain controllers, exfiltrate credentials, disable defences, and encrypt systems.

The speed and success—especially in MFA-protected environments—indicate a likely zero‑day exploit in firmware versions 7.2.0‑7015 and earlier, particularly affecting TZ and NSa‑series devices with SSL‑VPN enabled.

Recommended Immediate Actions

Until SonicWall confirms and patches any vulnerability, Critical Path clients should immediately:

  1. Disable SSL‑VPN services where feasible.

  2. If disabling is not possible, restrict access to a trusted IP address allow list only.

  3. Enable security services: Botnet protection and Geo‑IP Filtering.

  4. Enforce MFA on all remote access.

  5. Remove inactive or unused local firewall accounts, especially those with VPN access.

  6. Improve password hygiene: rotate passwords regularly and audit privileged accounts.

Network Indicators

IP Addresses

  • 42.252.99.59
  • 194.33.45.155
  • 104.238.205.105
  • 104.238.220.216
  • 45.86.208.0
  • 194.33.45.0
  • 104.238.204.0
  • 104.238.220.0
  • 45.242.96.0
  • 193.163.194.0
  • 181.215.182.0
  • 181.215.182.64
  • 77.247.126.239
  • 193.239.236.0
  • 193.163.194.7
  • 193.239.236.149
  • 45.86.208.240
  • 77.247.126.0

Executables

  • w.exe
  • sshd.exe
  • win.exe
  • cloudflared.exe
  • winrar.exe
  • 1.bat
  • 2.bat
  • fzsftp.exe
  • OpenSSHa.msi

Sha256 Hashes

  • d080f553c9b1276317441894ec6861573fa64fb1fae46165a55302e782b1614d

File Paths

  • /CIDR
  • C:\Program
  • C:\ProgramData\2.bat
  • /23
  • C:\ProgramData\OpenSSHa.msi
  • C:\programdata\ssh\cloudflared.exe
  • C:\ProgramData\winrar.exe
  • /22
  • C:\ProgramData\1.bat

Additional Context

Similar ransomware attacks exploiting VPN appliances are not unprecedented. Akira affiliates have previously targeted enterprise-grade firewalls for access.

Recommended Next Steps for SecOps Teams

Action Purpose
Gather logs from Gen 7 SSL‑VPN appliances for activities since mid-July Look for unusual logins (especially from VPS-hosted IPs) or indicators of compromise
Audit service and admin accounts assigned to SonicWall, including “sonicwall” or LDAP‑related service users Ensure least privilege principles
Segment VPN‑exposed services from critical assets like domain controllers Limit lateral movement
Monitor externally-sourced IPS and threat intel feeds for updates on patches or vendor advisories Stay prepared for patch deployment

Bottom Line

As of August 5, 2025, SonicWall has issued a critical advisory: disable SSL‑VPN on Gen 7 firewalls immediately due to suspected zero‑day exploitation by the Akira ransomware gang.

Organisations using these devices should treat remote access surfaces as compromised until SonicWall issues patches and further guidance. Proactive mitigation and network hygiene are essential right now.

Stay safe—and prepared.

References: