Critical Security Issues Affecting SonicWall Firewalls: What You Need to Know
SonicWall firewall customers have faced a challenging year in 2025, with multiple security incidents threatening network infrastructure worldwide. From cloud backup breaches to actively exploited vulnerabilities, these issues pose significant risks to organizations that rely on SonicWall’s network security solutions. Here’s what happened and what you need to do to protect your network.
In what may be the most concerning development, SonicWall disclosed in September 2025 that malicious actors used brute-force techniques against its MySonicWall.com web portal to access a subset of customers’ configuration files stored in cloud backups. Initially, the company reported that less than 5% of customers were affected, but this assessment changed dramatically when SonicWall revealed that all customers who have used the cloud backup service were impacted.
These configuration backup files contain sensitive information that network administrators should be deeply concerned about. While credentials within the files were encrypted, the files also included information that actors can use to gain access to customers’ SonicWall Firewall devices. This includes user and group settings, DNS configurations, log settings, certificates, and other critical network details that threat actors can weaponize.
The breach has profound implications because firewall configuration files serve as a roadmap for an organization’s network security architecture. With this information, attackers can identify weaknesses, understand network topology, and plan targeted attacks with surgical precision.
At the heart of many recent attacks is CVE-2024-40766, a critical vulnerability first disclosed in September 2024. This improper access control flaw affects SonicWall SonicOS management access and SSL VPN functionality, potentially allowing unauthorized access to resources and, under certain conditions, causing firewalls to crash.
The vulnerability received a CVSS score of 9.3 out of 10, indicating critical severity, and affects multiple generations of SonicWall devices. Gen 5, Gen 6, and Gen 7 devices running SonicOS 7.0.1-5035 or earlier are all vulnerable.
What makes this vulnerability particularly dangerous is that it requires no authentication and has low attack complexity, meaning threat actors can exploit it relatively easily from anywhere on the internet. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities catalog in September 2024, signaling active exploitation in the wild.
The exploitation of CVE-2024-40766 took on new urgency in July and August 2025 when security researchers observed a significant spike in ransomware activity. Arctic Wolf and Huntress detected an increase in ransomware attacks targeting SonicWall firewall devices for initial access, with multiple pre-ransomware intrusions occurring within short time periods, each involving VPN access through SonicWall SSL VPNs.
Huntress identified around 20 different attacks tied to this wave, starting July 25, 2025, all related to the Akira ransomware. The attacks followed a consistent pattern: threat actors would gain access through compromised SSL VPN accounts, then move quickly to deploy ransomware, often within hours of initial access.
SonicWall eventually confirmed high confidence that the recent SSL VPN activity was connected to CVE-2024-40766 and password reuse, rather than a new zero-day vulnerability. Many incidents were traced to organizations that had migrated from Gen 6 to Gen 7 devices without properly resetting local user passwords.
Our team has worked tirelessly to ensure services are not impacted and has developed custom tools that enhance your workflow and enable secure SSL-VPN access to your files and services.
The situation escalated further in October 2025. A significant wave of activity commenced on October 4, 2025, with more than 100 SonicWall SSL VPN accounts across 16 customer accounts being compromised. Security researchers at Huntress tracked these intrusions and observed varying levels of attack sophistication.
In some instances, threat actors disconnected after brief reconnaissance, while in other cases, they conducted network scanning and attempted to access numerous local Windows accounts. This variation suggests either multiple threat actor groups or different stages of a coordinated campaign.
If your organization uses SonicWall firewalls, you should assume you’re potentially at risk, especially if:
Based on recommendations from SonicWall, CISA, and security researchers, here are the critical steps you need to take immediately:
Log in to your MySonicWall customer account to verify whether your device is at risk. Check the Product Management section under Issue List for impacted devices.
Install the latest SonicOS firmware version immediately. Update to firmware version 7.3.0 by following SonicWall’s firmware update guide. This version includes enhanced protections against brute-force attacks and improved authentication controls.
This is perhaps the most critical step. Rotate credentials on all user accounts with SSL VPN access, especially if they were carried over during migration from Gen 6 to Gen 7. This includes:
MFA should be enabled for all remote access to reduce the risk of credential abuse. This single step can prevent many of the attacks being observed.
Disable or restrict access to HTTP/HTTPS & SSH Management over the WAN, and disable or restrict access to SSL VPN until remediation actions have been completed. If your firewall management doesn’t need to be accessible from the internet, disable WAN management entirely.
Delete any inactive or unused local firewall user accounts, particularly those with SSL VPN access. Every unused account is a potential entry point for attackers.
Ensure services such as Botnet Protection are active, as these services help detect threat actors known to target SSL VPN endpoints.
If SonicWall SSL VPN is not in use in your environment, consider disabling it to reduce the risk of exploitation. If you must keep it enabled, implement strict IP whitelisting to limit access to trusted sources only.
Beyond immediate remediation, consider these longer-term security enhancements:
Implement Network Segmentation: Don’t rely solely on perimeter security. Segment your network so that a compromised VPN account can’t provide unfettered access to your entire infrastructure.
Deploy Enhanced Monitoring: Enable comprehensive logging for all SSL VPN login attempts and configure alerts for suspicious activity, such as logins from unusual geographic locations or multiple failed authentication attempts.
Regular Security Audits: Conduct periodic reviews of firewall configurations, user accounts, and access policies. Remove unnecessary services and accounts regularly.
Incident Response Planning: Ensure you have a tested incident response plan specifically for scenarios involving compromised network security appliances.
Alternative Authentication Methods: Consider implementing certificate-based authentication alongside, or in place of, password-based authentication for VPN access.
These incidents highlight a troubling trend in cybersecurity: network security appliances are increasingly becoming prime targets for sophisticated threat actors. When perimeter defenses are compromised, attackers gain a foothold that’s difficult to detect and even harder to remediate.
The SonicWall situation also demonstrates how cascading security issues can compound risk. The combination of an exploitable vulnerability (CVE-2024-40766), poor credential hygiene during migrations, lack of multi-factor authentication, and a separate cloud backup breach created a perfect storm that threat actors eagerly exploited.
For SonicWall customers, the message is clear: immediate action is not optional. The threat is active, widespread, and targeting real organizations right now. The ransomware groups behind these attacks are not theoretical—they’re operating at scale and moving quickly once they gain access.
SonicWall has taken steps to address these issues, including hardening its infrastructure, implementing additional logging, and introducing stronger authentication controls. The company has also set up dedicated support teams to help customers through the remediation process.
However, the responsibility for securing your network ultimately rests with your organization. Don’t wait for the following security bulletin or the next attack wave. If you’re running SonicWall firewalls, log in to MySonicWall today, verify your devices, and begin the remediation process immediately.
The cost of taking action now is measured in hours of administrator time and potential brief service interruptions. The cost of inaction could be measured in ransomware payments, data breaches, regulatory fines, and irreparable damage to your organization’s reputation.