New SonicWall SSL-VPN Threat: How to Respond and Stay Protected

Christopher Souza | CEO

When it comes to cybersecurity, few things are more alarming than the discovery of a potential zero-day vulnerability in widely used infrastructure. That’s exactly the concern facing Gen 7 firewalls with SSL-VPN; SMA 100 series. Technical Support International (TSI) has learned of a flaw that could allow attackers to gain unauthorized access to certain SonicWall services and even bypass multi-factor authentication (MFA). While SonicWall has not yet issued a formal statement on this specific case, click here to access their official noticeboard for when they do. The risk is significant enough that we strongly advise immediate defensive measures.

What We Know So Far

SonicWall’s security bulletins confirm multiple critical vulnerabilities affecting its appliances, including SMA 100 Series devices, with active exploitation campaigns already underway. According to advisories, advanced threat actors have been deploying OVERSTEP, a persistent rootkit capable of hijacking sessions, stealing administrator credentials, and even surviving firmware upgrades. Additional vulnerabilities (such as CVE-2024-38475 and CVE-2025-40599) highlight ongoing risks tied to SSL VPN access and administrative misconfigurations.

For organizations relying on SonicWall firewalls, the implications are serious: remote access gateways that are often the only bridge into secure environments could be leveraged to bypass MFA, exfiltrate data, or gain full administrative control.

Recommended Immediate Actions

Until SonicWall provides official remediation guidance for this recent activity correlated with CVE-2024-40766, TSI strongly recommends these evidence-based actions:

• Evaluate temporary restrictions of SSL-VPN exposure based on your risk profile and vendor guidance. While disruptive to remote users, the alternative could be far more damaging.
• Audit firewall admin settings. Remove unnecessary local accounts, rename the default administrator, and confirm MFA is enforced for all administrative logins.
• Stay patched. For appliances already covered by published advisories, ensure you are running the latest firmware (SonicWall has recommended versions 10.2.2.2-92sv or higher for SMA 100).

Lessons From Past Firewall Breaches

This isn’t the first time firewalls have been a prime target. Just last year, Fortinet VPN appliances were compromised in large-scale campaigns that saw threat actors exploiting unpatched vulnerabilities to gain persistent access inside enterprise networks. Similar to SonicWall’s current risk profile, these attacks demonstrate how perimeter devices can effectively negate even the most well-designed security strategies if compromised. The lesson remains the same: vigilance and proactive hardening are non-negotiable.

Contact Us Today: We Can Help

The cybersecurity landscape is moving faster than ever, and firewalls are once again in the crosshairs. SonicWall users should treat this potential zero-day as a high-priority issue and take steps now to minimize exposure. Whether it’s assisting with SSL VPN disablement, reconfiguring administrator accounts, or implementing broader best practices, TSI is here to help safeguard your environment before attackers can take advantage.

Contact TSI today to discuss your firewall security posture and next steps for ensuring resilience against evolving threats.

About Technical Support International

TSI is 37-year old cybersecurity (MSSP) and IT support (MSP) company specializing in helping DIB organizations address their NIST 800-171 and CMMC compliance obligations. As a CMMC-AB Registered Provider Organization (RPO), TSI offers a complete NIST 800-171 and CMMC support solution to help guide our clients toward a successful certification audit and provide the assurance that they’re adhering to these expansive compliance requirements.