đź“Š Our 2025 Cyber Claims Report is out now!
Skip To Main Content
Cyber Incident? Get Help
Blog homeCyber InsuranceSecurityExecutive RisksBroker EducationLife at Coalition

Attackers Actively Targeting Critical Vulnerability in SonicWall SSL VPN

Person > Scott Walsh
Scott WalshAugust 07, 2025
Share:
Attackers Actively Targeting Critical Vulnerability in SonicWall SSL VPN

On August 1, 2025, researchers from Arctic Wolf published new findings that threat actors are actively targeting SonicWall SSL VPNs (secure sockets layer virtual private networks). Attackers can bypass multi-factor authentication (MFA), take control of privileged accounts, and deploy ransomware. Huntress researchers affirmed they were observing similar activity.

Users should disable the VPN service immediately, if possible. Otherwise, restrict access via IP allow-listing.

SonicWall said it has high confidence that the recent threat activity is not connected to a zero-day vulnerability, but instead correlates with an existing vulnerability (CVE-2024-40766). 

What happened?

SonicWall said in its latest guidance that this is an improper access control vulnerability, first published in August 2024, in the SonicOS management access and SSL VPN, which can lead to unauthorized access and cause the firewall to crash. 

In some instances, fully patched SonicWall devices were affected following credential rotation. Every system previously thought to be secure is now confirmed to be insecure, expanding the global attack surface from just unpatched systems to all systems.

SonicWall said that many of the incidents appear related to migrations from sixth- and seventh-generation (Gen 6 and Gen 7) firewalls, where local passwords were carried over during the migrations and were not reset.

Every system previously thought to be secure is now confirmed to be insecure, expanding the global attack surface from just unpatched systems to all systems.

How do businesses address this?

In situations where no immediate fix is available, mitigation can really only take two forms: 

  1. Disable the service completely

  2. Tightly restrict the IP addresses that are allowed to connect to the affected system.

Both of these methods function to reduce the vulnerable attack surface. If an attacker can’t access the system via the vulnerability, they cannot attack it.

SonicWall updated its official guidance on August 6, urging customers (who have imported configurations from Gen 6 to newer firewalls) to update their firmware to version 7.3.0, following the guide. The new update includes enhanced protections against brute-force attacks and additional MFA controls. 

Users should reset all local user account passwords for any accounts with SSL VPN access, especially if they were carried over during migration from Gen 6 to Gen 7. 

SonicWall updated its official guidance on August 6, urging customers (who have imported configurations from Gen 6 to newer firewalls) to update their firmware to version 7.3.0.

SonicWall also recommended that customers follow security hygiene best practices: 

  1. Enable Botnet Protection and Geo-IP Filtering. 

  2. Enforce MFA and strong password policies.

  3. Remove unused or inactive user accounts. 

Who's at risk?

Huntress said it has already observed attacks directly related to this vulnerability, all of which were reportedly tied to Akira ransomware.

Among Coalition policyholders notified about this vulnerability, the most common industry impacted (25%) was the professional services industry. Most policyholders were small businesses by revenue (96%) with fewer than 50 employees (62%).

When a particular product, like SonicWall SSL VPN, has a vulnerability disclosed, it raises questions about the security of the rest of the system and what other components may be vulnerable. 

Additionally, when the vulnerabilities are of lower sophistication and easier to exploit, a product becomes a more attractive target because it signals a potential lack of basic security within the product and a higher return on investment for attackers developing the attack method.

Coalition’s Cyber Threat Index 2025 previously found that most ransomware incidents start with the exploitation of VPNs, remote desktop tools, and firewalls. These technologies are highly targeted by threat actors seeking a way to breach the perimeter to access sensitive information. VPNs, in particular, are often poorly segregated from the rest of an organization’s digital infrastructure, making it easier for an attacker to move within the network after exploiting a vulnerability. 

While the exploitation of boundary devices is not a new phenomenon, exploits do seem to be happening more frequently. According to Coalition’s Risky Tech Ranking, SonicWall products had 23% more vulnerabilities in Q2 2025 versus Q1 2025. 

How is Coalition responding?

Coalition notified any impacted policyholders on Monday, August 5. This is an evolving situation, and customers should pay attention to SonicWall’s most up-to-date advisories and the latest news regarding this vulnerability. 

Coalition policyholders can log in to Coalition Control® for the most recent updates. We continue to monitor the situation closely. For any questions about this vulnerability or assistance with mitigation, please contact Coalition’s Security Support Center (securitysupport@coalitioninc.com).

PREVENT MORE CYBER INCIDENTS. RESPOND FAST.

Round-The-Clock Threat Detection & Response 

See how Coalition MDR works for your business >

This blog post is designed to provide general information on the topic presented and is not intended to construe or the rendering of legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The statements contained herein are not a proposal of insurance but are for informational purposes only. Insurance coverage is subject to and governed by the terms and conditions of the policy as issued. Coalition makes no representations regarding coverages, exclusions, or limitations in any products offered on behalf of any insurer. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed. The blog post may include links to other third-party websites. These links are provided as a convenience only. Coalition does not endorse, have control over, nor assumes responsibility or liability for the content, privacy policy, or practices of any such third-party websites. Copyright © 2025. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.

Related blog posts

See all articles
Coalition acknowledges Aboriginal and Torres Strait Islander peoples as the Traditional Custodians of the lands on which we live and work across Australia. We pay our respect to First Nations Elders past, present and emerging.
Logo > Allianz in white with transparent background
MSIG
What We Do

Active Cyber Insurance

Active Tech E&O Insurance

Active Monitoring

Incident Response

Broker Info

Resources

Help Centre

Glossary

Contact Us

Sitemap

Company

About

Careers

Legal

Licenses

Complaints Procedure

Privacy

Disclaimers

Logo > Coalition in white with transparent background

© 2025 Coalition, Inc.

Insurance cover is issued by Coalition Insurance Solutions Pty Ltd (“CIS AU”) (ABN 33 657 140 791, AFSL 539846) under a binding authority given by the insurers, Allianz Australia Insurance Limited (ABN 15 000 122 850, AFSL 234708) and Mitsui Sumitomo Insurance Company (ABN 49 000 525 637, AFSL 240816). This information is of a general nature only and does not take into account any person's particular circumstances. All descriptions of coverage are subject to the terms, conditions, and exclusions of the individual policy. Before making a decision (or advising your client), please refer to the relevant policy wording here or by contacting your broker. CIS AU may receive compensation from an insurer or other intermediary in connection with the sale of insurance cover. See licenses and disclaimers. Copyright © 2025. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.