Ransomware Hits SonicWall Firewalls: Gen-7 SSLVPN Exploits and How to Mitigate

Christopher Souza | CEO

Over the past several days, cybersecurity researchers like our trusted partners at Arctic Wolf Security, have identified a sharp rise in targeted cyberattacks against SonicWall Gen 7 firewalls with SSLVPN enabled. These attacks aren’t just speculative, but active, coordinated campaigns that have already resulted in ransomware deployments across multiple organizations.

SonicWall has confirmed that this activity is linked to the Akira ransomware group. This is a well-known, financially motivated criminal organization notorious for its ability to move from initial access to full-scale ransomware deployment in a matter of hours. While there were early concerns about a new “zero-day” exploit, the reality is even more troubling: attackers are taking advantage of CVE-2024-40766, a previously disclosed improper access control vulnerability affecting SonicOS SSL VPN functionality. This vulnerability, combined with overlooked security hygiene practices during firewall upgrades like failing to reset inherited passwords, leaving dormant user accounts active, reusing old SSLVPN configurations, skipping firmware integrity checks, or neglecting to reapply MFA settings, has opened the door for devastating attacks.

Why This Vulnerability Matters

CVE-2024-40766 is a critical flaw affecting SonicWall firmware versions 7.2.0–7015 and earlier. A particularly dangerous scenario arises when organizations migrate from Gen 6 to Gen 7 firewalls without resetting local user account passwords, despite clear vendor guidance. This oversight gives attackers the ability to decrypt SSLVPN credentials, bypass security controls, and quickly move deeper into the network. In some cases, they can reach domain controllers within hours. The speed and precision of these intrusions leave almost no time for detection or response.

Meet the Attackers

Akira is a Ransomware-as-a-Service (Raas) operation that has been around since 2023 and quickly established itself as one of the most active threats in the cybercrime landscape. Believed to have links to the defunct Conti group, Akira has attacked more than 250 organizations worldwide across manufacturing, healthcare, education, legal, and critical infrastructure sectors, raking in an estimated $40+ million in ransom payments

Once inside, their operators waste no time. They escalate privileges, harvest credentials, disable security tools, and exfiltrate sensitive data before encrypting systems. Akira’s operations are deliberate, well-resourced, and capable of crippling a target network within hours of initial compromise.

Though Akira is aligned more closely with financially motivated cybercrime than any ideological movement, it is widely believed to be a successor to the Conti ransomware gang who has known ties to Russia. Akira has been observed communicating in Russian on dark-web forums and even avoids running on Russian-language systems, suggesting their possible origins.

Real-World Example: How One VPN Breach Led to a $2M Ransom Demand

Mass exploitation of firewall vulnerabilities is nothing new. In 2024, more than 2,000 Palo Alto Networks firewalls were compromised via a zero-day flaw in PAN-OS (CVE-2024-0012 and CVE-2024-9474). The Shadowserver Foundation detected widespread exploitation, even of devices believed to be patched. Attackers moved quickly to steal data, install malware, and encrypt networks. The takeaway: when a network gateway is breached, the response window is measured in hours, not days.

Stay vigilant! Firewall vulnerabilities are being weaponized quickly and at a massive scale. Keep reading to learn what your next steps should be.

Immediate Recommended Actions

Time is critical in situations like this. If your organization runs a Gen 7 SonicWall firewall with SSLVPN enabled, you must act immediately by upgrading to SonicOS 7.3.0, resetting all local account passwords (especially those migrated from Gen 6), and disabling SSLVPN entirely or restricting it to trusted IPs. Additional measures like enabling Botnet Protection, Geo-IP Filtering, enforcing MFA, and removing unused accounts further shrink your attack surface.

Beyond patching, layered defenses like SIEM+SOC, MFA, and End User Training can stop attacks before they escalate. A SIEM continuously collects and correlates log data across your network to detect anomalies in real time, while a 24/7 SOC investigates and neutralizes threats before they spread. MFA adds a critical authentication barrier, making stolen credentials far less effective. End User Training turns staff into active defenders, reducing the likelihood of phishing or credential-theft success. Together, these measures strengthen your cybersecurity posture and give you the tools to proactively remediate threats before they can harm your organization.

How TSI Can Help

At TSI, we go beyond emergency fixes. Our Managed Security Services blend advanced threat intelligence, proactive vulnerability management, and continuous monitoring through partners like Arctic Wolf. This means detecting and disrupting threats before they become breaches.

We also align your security posture with regulatory frameworks like NIST 800-171 and CMMC 2.0, ensuring compliance and security progress hand in hand. Our goal isn’t just to address today’s risks, but to also make sure tomorrow’s attacks fail outright.

The Bottom Line

Groups like Akira are fast, deliberate, and opportunistic. When they target your firewall, they’re trying to unlock your entire network. The organizations that survive these campaigns are the ones that act decisively, not just to patch, but to fortify. We’re actively tracking updates from SonicWall and our cybersecurity partners, and we’ll keep you informed as new information or firmware releases become available.

If you’re unsure about your SonicWall configuration, contact TSI today for an immediate review and remediation. Our team will implement the latest mitigations, close any lingering vulnerabilities, and strengthen your defenses to withstand future threats. As an MSP, we offer a wide range of security services that you can check out here: Managed IT Security Service Plans.

Check out SonicWall’s full advisory for more information: SonicWall Notice.

About Technical Support International

TSI is 36-year old cybersecurity (MSSP) and IT support (MSP) company specializing in helping DIB organizations address their NIST 800-171 and CMMC compliance obligations. As a CMMC-AB Registered Provider Organization (RPO), TSI offers a complete NIST 800-171 and CMMC support solution to help guide our clients toward a successful certification audit and provide the assurance that they’re adhering to these expansive compliance requirements.