SonicWall VPNs Exploited for 0-Day Vulnerability to Bypass MFA and Deploy Ransomware

A likely zero-day vulnerability in SonicWall’s Secure Mobile Access (SMA) VPNs and firewall appliances is being actively exploited in the wild, enabling attackers to bypass multi-factor authentication (MFA) and deploy ransomware within hours of the initial breach.

Security firms, including Huntress, Arctic Wolf, and Sophos, have reported a recent surge in high-severity incidents targeting these devices, indicating a critical and ongoing threat to organizations that rely on them.

The attacks follow a swift and consistent playbook, beginning with a breach of the SonicWall appliance itself. Security researchers at Huntress, who have been responding to a wave of these incidents since late July 2025, report that the speed and success of the attacks, even against environments with MFA enabled, strongly point to an unpatched vulnerability.

Once threat actors gain an initial foothold, they move rapidly to compromise the entire network. Attackers have been observed immediately leveraging over-privileged service accounts, such as LDAP or administrative accounts used by the SonicWall device, to gain administrative access.

To ensure persistent access, they deploy tools like Cloudflared tunnels and OpenSSH, effectively creating a backdoor into the compromised network.

With elevated privileges, the attackers proceed with a mix of automated scripts and hands-on techniques to move laterally. They have been seen using WMI and PowerShell Remoting to navigate the network, dump credentials from Veeam Backup databases, and exfiltrate the Active Directory database (NTDS.dit) for offline password cracking.

Before deploying the final payload, the attackers methodically dismantle security defenses. They use built-in Windows tools to disable Microsoft Defender and modify firewall rules to allow their own remote access.

The final stage involves deleting Volume Shadow Copies to prevent easy system recovery, immediately followed by the deployment of what has been identified as Akira ransomware.

The tradecraft varies between attacks, suggesting that multiple threat actors may be exploiting the same vulnerability with different toolsets.

Observed methods include using legitimate tools like Advanced IP Scanner and WinRAR for reconnaissance and data staging, alongside living-off-the-land binaries (LOLBins) and custom scripts. Attackers have also been caught creating new user accounts to maintain their presence on the network.

In response to this active threat, security experts are issuing urgent recommendations. Huntress strongly advises organizations to disable their SonicWall SSL VPN access immediately until an official patch is released.

If disabling the VPN is not feasible for business operations, access should be severely restricted to a whitelist of known, trusted IP addresses.

Furthermore, it is critical to audit service accounts and ensure they operate under the principle of least privilege, as compromised high-privilege accounts are a key element of the attack chain. Organizations are also urged to hunt for the published Indicators of Compromise (IOCs) within their environments to detect any signs of a breach.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches