New VPN Attack Warning — What You Need To Know

Introduction to VPN Security

Virtual Private Networks have been the subject of myriad news headlines recently after the U.K. government’s Online Safety Act put in place age-verification requirements for sites with adult content. The humble VPN, often associated with advertising persuading users that it’s something necessary to protect against hackers on trains, at airports and in coffee shops, but most commonly used to bypass geographic content streaming restrictions, is not just a consumer app. VPN appliances are used for grown-up, serious security purposes within enterprises around the globe. So, when researchers issue a warning of a potential VPN attack, it’s not something that can be dismissed.

VPN Security Has A History Of Compromise

A VPN app, far from being a security silver bullet, can actually just be an extension of your threat surface. How many examples would you like me to provide as evidence of this? I’ll throw Google’s warning about a backdoor bundled with a free VPN app into the ring for starters, or how about the FBI warning concerning Medusa ransomware compromising VPN credentials? One more? OK, the recent Katz Stealer warning as this threat also targeted VPN credentials.

Latest VPN Security Warning

The latest VPN security warning comes from Julian Tuin, a senior threat intelligence researcher at Arctic Wolf Labs, who has confirmed that “an increase in ransomware activity targeting SonicWall firewall devices for initial access,” has been observed late in July. More specifically, Tuin said, “multiple pre-ransomware intrusions were observed within a short period of time, each involving VPN access through SonicWall SSL VPNs.” While there can, and should, be questions asked as to whether these attacks could have occurred thanks to brute force or credential stuffing methods in at least some cases, Tuin warned that the “available evidence points to the existence of a zero-day vulnerability.” Not least as some of the SonicWall devices were fully security patched and had also had credential rotation applied before the attacks took place. “Despite TOTP MFA being enabled,” Tuin said, “accounts were still compromised in some instances.”

Mitigating The Potential For VPN Attack

Given that the Artic Wolf report revolves around a spike in attacks involving the Akira Ransomware group, known to have compromised more than 300 organizations and with some very high-profile names published to the hacker’s data leak site listings, the threat should not be taken lightly. Throw in the fact that SonicWall only recently issued a warning regarding the CVE-2025-40599 vulnerability in SMA 100 appliances, which could see remote code execution if successful, and you would be foolish not to at least mitigate against the potential of attacks. “Given the high likelihood of a zero-day vulnerability,” Tuin said, “organizations should consider disabling the SonicWall SSL VPN service until a patch is made available and deployed.” Meanwhile, SonicWall has previously said that organizations should harden defenses, including security services such as botnet protection that can help detect those targeting SSL VPN endpoints, as well as enforcing multi-factor authentication.

Conclusion

The warning from Julian Tuin and the observed increase in ransomware activity targeting SonicWall firewall devices should serve as a wake-up call for organizations to review their VPN security. The potential for a zero-day vulnerability and the fact that some attacks have occurred despite security patches and credential rotation being applied, highlight the need for vigilance and proactive measures to mitigate the risk of VPN attacks.

FAQs

Q: What is the latest VPN security warning about?
A: The latest VPN security warning is about an increase in ransomware activity targeting SonicWall firewall devices for initial access, with multiple pre-ransomware intrusions observed involving VPN access through SonicWall SSL VPNs.
Q: What is the potential vulnerability that has been identified?
A: The available evidence points to the existence of a zero-day vulnerability, which could allow attackers to compromise accounts even if TOTP MFA is enabled.
Q: What can organizations do to mitigate the potential for VPN attack?
A: Organizations should consider disabling the SonicWall SSL VPN service until a patch is made available and deployed, and harden defenses by including security services such as botnet protection and enforcing multi-factor authentication.
Q: How many organizations have been compromised by the Akira Ransomware group?
A: The Akira Ransomware group has compromised more than 300 organizations, with some very high-profile names published to the hacker’s data leak site listings.
Q: What is the CVE-2025-40599 vulnerability and how can it be exploited?
A: The CVE-2025-40599 vulnerability is a vulnerability in SMA 100 appliances that could see remote code execution if successful, allowing attackers to gain unauthorized access to the device.