Gen 7 and newer SonicWall Firewalls – SSLVPN Recent Threat Activity

Following our earlier communication, we want to share an important update on our ongoing investigation into the recent cyber activity involving Gen 7 and newer firewalls with SSLVPN enabled. 

We now have high confidence that the recent SSLVPN activity is not connected to a zero-day vulnerability. Instead, there is a significant correlation with threat activity related to CVE-2024-40766, which was previously disclosed and documented in our public advisory SNWLID-2024-0015. 

We are currently investigating less than 40 incidents related to this cyber activity. Many of the incidents relate to migrations from Gen 6 to Gen 7 firewalls, where local user passwords were carried over during the migration and not reset.  Resetting passwords was a critical step outlined in the original advisory.  

SonicOS 7.3 has additional protection against brute-force password and MFA attacks. Without these additional protections, password and MFA brute force attacks are more feasible. 

Updated Guidance

To ensure full protection, we strongly urge all customers who have imported configurations from Gen 6 to newer firewalls to take the following steps immediately: 

• Update firmware to version 7.3.0, which includes enhanced protections against brute force attacks and additional MFA controls. Firmware update guide 
• Reset all local user account passwords for any accounts with SSLVPN access, especially if they were carried over during migration from Gen 6 to Gen 7. 
• Continue applying the previously recommended best practices:
  • Enable Botnet Protection and Geo-IP Filtering. 
  • Remove unused or inactive user accounts. 
  • Enforce MFA and strong password policies. 
• If any local administrator accounts have been compromised, attackers may exploit administrative features such as packet capture, debugging, logging, configuration backup, or MFA control to obtain additional credentials, monitor traffic, or weaken the overall security posture. It is advisable to review any packet captures, logs, MFA settings, and recent configuration changes for unusual activity, and rotate any credentials that may have been exposed (for example LDAP Login/Bind credential).
• Review LDAP SSLVPN Default User Groups
  • https://www.sonicwall.com/support/knowledge-base/ldap-configuration-sslvpn-default-user-groups-security-risk/250813061722917
• We are observing increased threat activity from actors attempting to brute-force user credentials. To mitigate risk, customers should enable Botnet Filtering to block known threat actors and ensure Account Lockout policies are enabled.
  NOTE: The local user account password recommendation does not apply to auto-generated or locally duplicated LDAP/RADIUS users. SonicOS does not store the passwords of these users. Only if a password has been set for a user on the firewall management interface is it a local user. 

We’ll continue to update the KB article with any further developments.  

We appreciate the continued support from third-party researchers that have helped us throughout this process, including Arctic Wolf, Google Mandiant, Huntress, and Field Effect.

Thank you for your continued partnership, attention, and vigilance. 

-- SonicWall Team

Change Log

• 2025-08-04 10:00 AM PDT:  Initial publish.
• 2025-08-06 10:26 AM PDT:  Added links under the mitigation steps, updated title.
• 2025-08-06 2:30 PM PDT: Updated key findings and revised guidance.
• 2025-08-06 4:15 PM PDT: Updated third-party researchers.
• 2025-08-07 1 PM PDT: Updated formatting.
• 2025-08-07 3:15 PM PDT: Added guidance for local administrator credential compromise, related to CVE-2024-40766.
• 2025-08-08 11:30 AM PDT: Minor formatting adjustments.
• 2025-08-08 2:35 PM PDT: No update to guidance.  Today’s additional examples support our guidance.
• 2025-08-09 1:00 PM PDT: No Update to Guidance
• 2025-08-10 1:00 PM PDT: No Update to Guidance
• 2025-08-14 2:15 PM PDT: Updated local admin section to include LDAP example. Added LDAP SSLVPN default user group bullet point.
• 2025-08-18 3:30 PM PDT: Added 6th bullet point describing attempted brute-force activity and also linked to botnet filtering and account lockout policy KBs.
• 2025-08-19 9:27 AM PDT: Updated Botnet Protection KB link under 3rd bullet point.
• 2025-08-21 2:55 PM PDT: Added a note clarifying that the local user account password recommendation does not apply to auto-generated or locally duplicated LDAP/RADIUS users.
• 2025-08-22 4:27 AM PDT: Updated the password recommendation note by removing the reference to imported users
• 2025-08-22 6:42 AM PDT: Updated the 4th bullet point to remove the redundant entry for CVE-2024-40766