Table of Contents
Emerging Threat: Potential 0-day in SonicWall SSL-VPN Actively Exploited in the Wild
A suspected zero-day vulnerability in SonicWall SSL-VPN (SMA and firewall appliances) is being actively exploited to bypass multi-factor authentication (MFA) and rapidly deploy ransomware.
Attackers are quickly moving laterally within hours and in many cases directly to domain controllers. CyberMaxx urges organizations to either disable SonicWall VPN services or restrict access using IP allow-listing. This is a serious emerging and active threat.
Of note, CyberMaxx has existing detections for known techniques observed in the campaign. We will continue to update them and this thread as details and classification emerge.
Impact
- Attackers appear to bypass multi-factor authentication (MFA) and move laterally into domain controllers within hours of initial access
Mitigation
- disable SonicWall VPN services
- restrict access using IP allow-listing
Indicators and Threat Hunting
The following indicators have been observed in the campaign. It’s worth noting that these may include public VPN providers, so open sessions to are more serious than singular attempts to connect.
IPs
142.252.99.59
45.86.208.240
77.247.126.239
193.239.236.149
104.238.205.105
104.238.220.216
193.163.194.7
194.33.45.155
64.44.118.206
185.199.103.100
181.215.182.64
ISPs*
| As Number | AS OrgName |
|---|---|
| AS23470 | ReliableSite.Net LLC |
| AS215540 | Global Connectivity Solutions LLP |
| AS64236 | UnReal Servers, LLC |
| AS14315 | 1GSERVERS, LLC |
| AS62240 | Clouvider Limited |
Further Reading
https://thehackernews.com/2025/08/akira-ransomware-exploits-sonicwall.html
