Enterprise security company SonicWall is advising customers to disable a core feature of its latest line of firewall devices following reports of increased ransomware attacks targeting its users. In a recent statement, SonicWall noted a significant rise in security incidents involving its Generation 7 firewalls when the VPN feature is enabled. The company is currently investigating whether these incidents are linked to a known vulnerability or if a new flaw may be responsible.
Security researchers have observed hackers exploiting SonicWall devices to gain initial access to corporate networks. Enterprise products like firewalls and VPNs, which act as digital gatekeepers for employee access, are increasingly targeted by malicious actors. Flaws in these systems can allow attackers to infiltrate networks, leading to data theft or destructive attacks.
Arctic Wolf, a security firm, reported intrusions targeting SonicWall customers as early as mid-July. The firm suggested that the attacks may involve a zero-day vulnerability—a security flaw exploited before a patch is available. Researchers noted a short delay between the exploitation of SonicWall firewalls and the deployment of ransomware.
Another cybersecurity firm, Huntress Labs, stated that a zero-day bug in SonicWall firewalls is likely behind the attacks. The hackers exploiting this vulnerability have been observed accessing company domain controllers, which manage network devices and users. Huntress also linked some of the attacks to the Akira ransomware group, known for targeting enterprise products like Fortinet firewalls to breach large networks.
Huntress emphasized that this represents a critical and ongoing threat.