SSL VPN Activity: What We Know and What’s Next

A look at the recent SSL VPN incidents, what really happened and why strong fundamentals still matter in cybersecurity.

When reports first emerged of a possible zero-day vulnerability targeting SonicWall Gen 7 firewalls with SSL VPN enabled, the industry, media, partners and customers understandably took notice. The potential for a new, unknown exploit prompted immediate investigation from our side as well as trusted third-party researchers, from Arctic Wolf, Field Effect, Grey Noise, Mandiant and Huntress .

What we found was something both more reassuring and more revealing: this wasn’t a new or unknown vulnerability. The activity in question was tied to CVE-2024-40766, a previously disclosed issue for which guidance and patches had already been published last year. That’s good news. But digging into why and how this happened is crucial to making sure it doesn’t happen again.

What We Discovered

At the time of writing, the number of confirmed incidents was fewer than 40 and almost all traced back to a specific set of conditions. Many of the affected firewalls were part of migration projects from Gen 6 to Gen 7, where local user passwords were carried over instead of being reset. This step, though clearly called out in the migration documentation, was often overlooked, leaving firewalls vulnerable.

In addition, several of the impacted devices were running older firmware and had not been updated to SonicOS 7.3. That version includes enhancements specifically designed to defend against brute-force attacks and strengthen password protections, MFA protections and safeguards that significantly reduce the likelihood of this kind of activity succeeding. You can watch our experts break it down in depth here:

A Moment for Reflection  

It’s easy to focus attention on zero-days and headline-grabbing vulnerabilities. But most successful attacks don’t require new exploits; they rely on known weaknesses and lapses in basic security hygiene. In this case, threat actors exploited a vulnerability that had been publicly known for a full year. Outdated firmware, unchanged credentials and incomplete configurations created conditions that these attackers could exploit. This attack exemplifies a persistent pattern where threat actors continue to exploit older, well-documented vulnerabilities rather than investing in discovering new ones.

Things like resetting passwords during major upgrades, enabling features like Botnet Protection and Geo-IP Filtering, cleaning up inactive accounts, and enforcing strong MFA policies may not seem exciting, but they’re critical. They’re the foundation of good cybersecurity posture. And when those fundamentals are skipped, even patched systems can remain exposed.

How Managed Security Services Can Help 

For many organizations, especially those juggling multiple sites or complex environments, keeping every unit current on patches, settings and best practices isn’t a one-time task; it’s ongoing discipline. True protection requires active oversight, with regular check-ins, updates and verification to ensure nothing slips through.

Some partners build this active management directly into their service model, while others choose to extend their capabilities with SonicWall Managed Security Services (MSS). By dedicating the necessary time and expertise week after week, these teams provide the vigilance and follow-through that keep firewalls resilient, from applying critical updates to validating configurations and enforcing policies across the board.  

With a co-managed approach like SonicWall’s Managed Protection Security Suite (MPSS), organizations gain a team of experts who ensure that upgrades are done right, that best practices are followed, configurations are hardened and no critical step gets missed. It’s about adding a layer of confidence and continuity to the day-to-day realities of running secure infrastructure.

Looking Ahead

This wasn’t a zero-day, but it was a wake-up call. If there was ever a moment to double-check processes, recommit to best practices and recognize the power of proactive security, it’s now.

We’re grateful to our partners who fight this fight every day, as well as to those who immediately challenged us with questions and moved quickly to protect their clients. We sincerely appreciate the researchers who selflessly collaborated with our internal research teams and the broader cybersecurity community for their vigilance. We remain committed to transparency, collaboration and delivering tools and services that help keep your environments safe – all day, every day.