Reported Cyber Incidents Involving Gen 7 SonicWall Firewalls

DefenseStorm is aware that, over the past 72 hours, there has been a notable increase in both internally and externally reported cyber incidents involving Gen 7 SonicWall firewalls where SSLVPN is enabled. This includes threat activity highlighted by several third-party cybersecurity research teams.  Please see the content below taken directly from SonicWall:

“We are actively investigating these incidents to determine whether they are connected to a previously disclosed vulnerability or if a new vulnerability may be responsible.”

Ongoing Investigation

We are:

• Working closely with external threat research partners.
  • Continuously updating our partners and customers as the investigation progresses.
    • Committed to releasing updated firmware and instructions promptly if a new vulnerability is confirmed

Recommended Mitigation Steps

Until further notice, we strongly advise all partners and customers using Gen 7 SonicWall firewalls to take the following actions:

1. Disable SSLVPN Services Where Practical
   •  NOTE: All other steps below should still be followed even if disabling SSLVPN is not viable. 
     • Limit SSLVPN connectivity to trusted source IPs.

1. Enable Security Services

1. • Activate services such as Botnet Protection and Geo-IP Filtering.
     • These help detect and block known threat actors targeting SSLVPN endpoints.

1. Enforce Multi-Factor Authentication (MFA)

1. • Enable MFA for all remote access to reduce the risk of credential abuse.
     NOTE: Some reports suggest MFA enforcement alone may not protect against the activity under investigation 

1. Remove Unused Accounts

1. • Delete any inactive or unused local user accounts on the firewall.
     • Pay special attention to those with SSLVPN access.

1. Practice Good Password Hygiene

1. • Encourage regular password updates across all user accounts.

Please remain vigilant and apply the above mitigations immediately to reduce exposure while we continue our investigation.  We will update this KB as additional information becomes available.

Change Log

• 2025-08-04 Initial publish

DefenseStorm Response

DefenseStorm is recommending that everyone who uses SonicWall review any advisories received or published by SonicWall and evaluate if they apply to your organization.

DefenseStorm always recommends applying any changes in accordance with your existing internal policies and change controls.

Please bookmark: https://www.sonicwall.com/support/notices/gen-7-sonicwall-firewalls-sslvpn-recent-threat-activity/250804095336430 to stay up to date with the latest developments related to this incident.