Full Report
SonicWall has warned customers to disable SSLVPN services due to ransomware gangs potentially exploiting an unknown security vulnerability in SonicWall Gen 7 firewalls to breach networks over the past few weeks. [...]
Analysis Summary
# Vulnerability: Undisclosed Attacks Targeting SonicWall Gen 7 SSLVPN
## CVE Details
- CVE ID: Not specified in the advisory (Investigation ongoing for potential new vulnerability or linkage to existing ones).
- CVSS Score: Not specified.
- CWE: Not specified.
## Affected Systems
- Products: SonicWall Gen 7 Firewalls.
- Versions: Any firewall where SSLVPN is enabled. (Specific versions are not listed, but the advisory targets Gen 7 devices).
- Configurations: Devices with SSLVPN service enabled.
## Vulnerability Description
SonicWall issued an urgent advisory due to a notable increase in cyber incidents targeting Gen 7 SonicWall firewalls where the SSLVPN service is active. The company is actively investigating whether these incidents stem from a previously disclosed vulnerability (like CVE-2025-40599 on SMA 100, though this advisory pertains to Gen 7 firewalls) or a new, undisclosed vulnerability. The nature of the exploitation involves attackers targeting the SSLVPN endpoints.
## Exploitation
- Status: Under active investigation; high number of reported incidents suggests **active targeting/exploitation**.
- Complexity: Not specified, but the urgency suggests potential low-to-medium complexity for initial access.
- Attack Vector: **Network** (Remote access via SSLVPN).
## Impact
- Confidentiality: Unknown (Likely High, given the context of ongoing cyber incidents).
- Integrity: Unknown (Likely High).
- Availability: Unknown (Potential for disruption if compromise is successful).
## Remediation
### Patches
- No specific patch details are provided as the full vulnerability may still be under investigation. SonicWall advises applying mitigations immediately.
### Workarounds
SonicWall strongly urges customers to implement the following immediate mitigations:
1. **Disable SSL VPN services** whenever possible.
2. **Limit SSL VPN connectivity** to trusted source IP addresses.
3. **Enforce Multi-Factor Authentication (MFA)** for all remote access.
4. **Remove unused accounts.**
## Detection
- Enable security services such as **Botnet Protection** and **Geo-IP Filtering** to identify and block known threat actors targeting SSL VPN endpoints.
- Monitor for unauthorized remote access attempts or anomalies using compromised credentials (relevant context from SMA 100 attacks involving OVERSTEP rootkit).
## References
- Vendor Advisory (General reference for Gen 7 issue): hxxps://www.sonicwall.com/support/notices/gen-7-sonicwall-firewalls-sslvpn-recent-threat-activity/250804095336430
- Contextual reference regarding SMA 100 vulnerability (CVE-2025-40599): hxxps://www.bleepingcomputer.com/news/security/sonicwall-warns-of-critical-rce-flaw-in-sma-100-vpn-appliances/