Sonicwall VPN? You have an emergency - tonight.

TLDR: SonicWall have, over the last 24 hours, taken the unusual step of recommending any organisation using their Generation 7 devices to provide SSL VPN access to corporate resources turn this functionality off. Not "patch it". Not "enforce MFA". Turn it off. There are a high volume of exploits happening right now, led by the Akira ransomware group, following days of active exploitation against a vulnerability that doesn't even have a CVE reference yet. If you have a SonicWall device and your users are expecting to use it tomorrow - they may find that their files have been encrypted when they do.

VPNs have been the dependable way in for years. With the right credentials, an attacker doesn’t need a daisy chain of exploits or weeks of recon. They sign in, they blend in, and they move. When vulnerabilities have been in play, they’ve usually been the published kind that lingered unpatched. The industry’s bargain was simple: enforce MFA, keep the appliance current, and you’d sleep at night. Even we at Strand made this recommendation - you can stop the >50% of ransomware incidents that originate via VPN compromises with patches and good authentication hygiene.

That advice isn't valid today for SonicWall customers. Over the last seventy-two hours in particular, intrusions against organisations running Generation 7 SonicWall firewalls with SSL VPN enabled have accelerated enough that the vendor’s guidance is stark: turn SSL VPN off while they investigate. That isn’t a configuration tweak; it’s a stop-the-bleeding instruction that acknowledges active, high-volume exploitation and a likely zero-day flaw in the SSL VPN path. Multiple incident reports describe compromises in environments that were both patched (yes, even against last week's SonicWall vulnerabilities) and MFA-enforced

If you run one of these devices, this isn't a theoretical issue. There is a very real chance a threat actor will attempt to compromise your network imminently. They are moving at pace, with their eyes set on volume. Activity ramped in mid-July and spiked in the last few days, with the interval from “VPN event” to “ransomware impact” often measured in hours. Investigations performed through Strand found the shortest expoit-to-encryption path as 3 hours - with intrusion at 1am and encryption beginning at 4am, destroying 30+ virtual machines in the process.

Here is the most direct path to peace and answers today. If your business can tolerate it, follow the vendor direction and turn off SSL VPN on Gen 7 devices. If you cannot, narrow exposure to the point where access becomes expensive for an adversary and slightly inconvenient for staff: restrict inbound to fixed egress IPs you control, enforce reputation and geo policy at the SSL VPN interface, and remove stale local accounts on the firewall. Those moves reduce surface area tonight. But even with controls tightened, assume the appliance itself is going to be compromised, and shift your focus to what really decides outcomes in a campaign like this: how quickly you can prove or disprove active compromise inside the network. If Akira get in at 1am tonight, how will you know? What could they achieve before your IT team finish their coffee tomorrow?

That’s where Strand’s free, reactive breach assessment is built to earn you time. You don’t need a prior subscription or a months-long rollout. Reach out, and we’ll grant immediate access, then help you run our agents across your critical servers (domain controllers, file servers, hypervisors and backup infrastructure) so we can tell you, quickly and defensibly, whether something is wrong. Designed to reactively investigate compromises, our agents collect a snapshot of evidence from devices (recent service creations, scheduled tasks, authentication activity, security control tampering, lateral movement and many more) and combine this with our intelligence on the Akira group. We've seen the tactics they are using in this campaign, and can help you understand if they're already inside the house once you've disabled your VPN.

We also look for the tooling attackers use to make persistence and exfiltration easy. In many recent intrusions across the ecosystem, reverse tunnelling utilities such as “cloudflared” have been abused to keep a foothold and move data without opening obvious ports; our assessment flags those installations, their service wrappers, and their live processes if they exist.

If you're mid-triage at the moment, here's what to look out for:

• RDP activity from VPN-assigned IP addresses
• "Cloudflared" installed on VMs or hypervisors
• FileZilla, RClone or other data exfiltration tools being recently installed
• "w.exe" or other unrecognised executables across your systems
• Unexpected firewall changes. In some instanced, we've encountered the Sonicwall devices being factory reset during these attacks.

For MSPs juggling a fleet - we can help. Identify each client with a Gen 7 device and SSL VPN enabled and make a quick call: if you can turn it off, do so and buy certainty. If you can’t, restrict it ruthlessly. Either way, jump on a call with us at Strand and we'll help you assess every client site, across the handful of systems that would make or break a response at each site. You’ll get a consistent, cross-tenant picture of whether attacker infrastructure or tradecraft is repeating across clients, and help us (and the wider industry) understand these attacks in more detail.

None of this is meant to diminish SonicWall's role. A patch and a clear root cause will (hopefully) emerge soon and teams managing an SSL VPN can rest a little easier. There are already official security notes that have, in other contexts, recommended disabling the SSL-VPN component entirely when it was implicated; today’s advice to turn it off while investigations proceed is an extension of that same safety-first posture. Apply remediation promptly when it lands and verify the fix. But use this moment to challenge your own architecture. If a single internet-exposed tunnel is synonymous with reaching the heart of your environment, then every future defect on that tunnel is a countdown clock. The next improvement after “patched” is “segmented”: design so that reaching VPN does not mean reaching everything.

Right now, though, the priority is clarity. If you’re running a Gen 7 SonicWall with SSL VPN enabled and you’re even slightly unsure what your logs are telling you, get help now. Contact Strand, speak to your MSP, reach out to your security partner - don't assume not seeing anything today guarentees safety tomorrow. Run forensic collections on critical hosts, and get a plain answer: compromised, at risk, or clean for now. Use our agents to surface unusual activity tied to this campaign, flag “cloudflared” and similar tunnels if they’re present, and give you a defensible sequence of what happened and what to do about it. No prior deployment required, no strings attached, and no delay while the situation evolves.

The lesson this week isn’t that VPNs are “bad.” It’s that depending on one fragile door at the edge invites failure when suddenly the bad guys have a key. Until the vendor publishes a fix you can trust, act on what’s certain: disable SSL VPN where you can; constrict it where you can’t; check to ensure you aren't already compromised and, if you need certainty fast, let Strand do the heavy lifting so you can make the next decision with confidence.