Investigation: Attacks on Sonicwall firewalls probably via gap from 2024

Sonicwall has reviewed recent evidence of attacks on certain firewall series and has now come to the conclusion that attackers are probably not targeting a zero-day vulnerability. Rather, the gateway is a vulnerability from the year 2024.

Patch it now!

The IT company points this out in an updated article. A few days ago, attacks on Gen 7 firewalls made the headlines, and various security researchers suspected a zero-day vulnerability as the starting point.

Sonicwall states that it is highly likely that the attackers are once again targeting an older “critical” vulnerability (CVE-2025-40766), which was already exploited for ransomware attacks in 2024. Security updates have been available since then but have obviously not yet been installed across the board due to the current attacks. As a result, admins should urgently check whether their instances are already secured.

Further details

The firewall manufacturer states that they are currently aware of fewer than 40 cases of attacks. Attackers are primarily focusing on firewalls that have been migrated from the Gen 6 to the Gen 7 series. Passwords were also taken along, which represents a security risk in this context. In the warning message from that time, Sonicwall instructed admins to change passwords for users with SSL VPN access. If attacks are successful, attackers can take over admin accounts, among other things.

In addition to resetting passwords, admins must ensure that at least firmware 7.3.0 is installed. For additional protection, the botnet protection, geo-IP filtering, and multi-factor authentication (MFA) functions should also be active. Furthermore, admins should check accounts and delete inactive and unknown accounts immediately.

(des)