Overview
Threat actors have been observed brute-forcing VPN credentials and bypassing multi-factor authentication (MFA) on SonicWall Gen6 SSL-VPN appliances to deploy tooling used in ransomware attacks. The bypass takes advantage of incomplete patching — a scenario where an update was applied but failed to fully close the vulnerability, leaving organizations with a false sense of security.
This campaign underscores the danger of partial remediation in network edge devices, where even a single unclosed entry point can provide ransomware operators with the foothold needed to compromise an entire organization.
What Happened
Security researchers identified a campaign in which attackers targeted SonicWall Gen6 SSL-VPN appliances. The attack chain involved two key phases:
- Credential brute-forcing: Attackers systematically submitted authentication attempts against VPN login endpoints to identify valid username/password combinations
- MFA bypass: Once valid credentials were obtained, attackers leveraged the incomplete patch state to circumvent the MFA protection that should have prevented access even with valid credentials
Following successful authentication, the threat actors deployed tools consistent with pre-ransomware activity — including network reconnaissance utilities, lateral movement frameworks, and persistence mechanisms.
The Incomplete Patching Problem
The phrase "incomplete patching" is particularly alarming here. It indicates that:
- A patch was previously released and applied by affected organizations
- The patch did not fully remediate the underlying vulnerability
- Organizations that believed they were protected were still exploitable
This is a known risk in enterprise patch management. Vendors occasionally release fixes that address the reported symptom without fully closing the underlying security flaw. In network appliances — which often have complex firmware update processes — partial fixes are especially dangerous because:
| Risk Factor | Explanation |
|---|---|
| False confidence | Organizations mark the vulnerability as "patched" and stop monitoring it |
| Slow re-patch cycles | Firmware updates on production VPN devices are change-controlled and slow |
| Edge device exposure | SSL-VPN appliances are internet-facing by design — maximum attacker access |
| High-value target | VPN access grants authenticated entry to internal networks |
SonicWall Gen6 SSL-VPN: Background
SonicWall's Gen6 hardware appliances (including the NSA, TZ, and SOHO series) are widely deployed in small-to-medium business and enterprise environments as the primary remote access VPN solution. The SSL-VPN feature allows remote users to authenticate and establish encrypted tunnels to internal networks.
These appliances have been a persistent target for ransomware-affiliated threat actors throughout 2025 and 2026, with multiple CVEs disclosed across the SonicOS firmware line. The critical nature of VPN availability often leads organizations to defer patching — a calculation that attackers actively exploit.
Threat Actor Behavior
Based on the reported attack pattern, the threat actors appear to be operating as a ransomware affiliate or initial access broker — organizations that specialize in gaining entry to corporate networks and either deploying ransomware directly or selling access to ransomware-as-a-service (RaaS) operators.
Post-authentication activity typical in these campaigns includes:
Observed post-VPN-access activity pattern:
├── Network discovery (ARP scans, SMB enumeration)
├── Credential harvesting (LSASS dumping, credential store access)
├── Lateral movement (PsExec, WMI, RDP pivot)
├── Persistence establishment (scheduled tasks, registry run keys)
├── Data staging (archiving sensitive files for exfiltration)
└── Ransomware deployment (targeting backup systems first)Affected Organizations and Scope
SonicWall Gen6 appliances are deployed at tens of thousands of organizations globally. The SSL-VPN capability is heavily used in environments where remote work is common — making the attack surface significant.
Organizations at highest risk are those that:
- Applied prior SonicWall patches but have not installed the most recent firmware update
- Have not verified the patch was successfully applied and validated
- Do not have additional authentication controls (certificate-based auth, IP allowlisting) beyond username/password + TOTP
Immediate Action Items
1. Verify Your SonicWall Firmware Version
# Check firmware version via SonicOS Management Interface
# Navigate to: System > Settings > Firmware Management
# Confirm you are running the latest available firmware for your Gen6 appliance seriesDo not rely on records from the previous patch cycle — actively confirm the current firmware version against SonicWall's published security advisories.
2. Enable Additional Authentication Controls
If your SSL-VPN configuration relies solely on password + TOTP for MFA, add supplementary controls:
- Client certificate requirements: Require a device certificate in addition to credentials
- IP allowlisting: Restrict SSL-VPN access to known corporate IP ranges where possible
- Geo-blocking: Block authentication attempts from unexpected countries
- Account lockout: Configure aggressive lockout thresholds to limit brute-force effectiveness
3. Review VPN Authentication Logs
# In SonicOS: Navigate to Log > View > All
# Filter for: Authentication, SSL-VPN, Failed Login
# Look for:
# - High-frequency failed login attempts from a single source IP
# - Successful logins immediately following failed attempts (brute-force success)
# - Logins from unusual geographic locations or at unusual hours
# - MFA-related authentication events showing bypass patterns4. Audit Active VPN Sessions
Review all active SSL-VPN sessions for users that are not expected to be connected:
- SonicOS Management: Monitor > Active Connections Monitor > SSL VPN Sessions
- Terminate any sessions that cannot be attributed to a known, legitimate user
- Contact users associated with suspicious sessions to confirm legitimacy
Broader Context: VPN Appliances Under Sustained Attack
SonicWall is not alone in facing sustained targeting of its SSL-VPN products. Throughout 2025-2026, Ivanti, Fortinet, Palo Alto Networks, and Citrix have all disclosed critical VPN vulnerabilities that were actively exploited. The pattern is consistent:
- Network edge devices are internet-exposed and must accept connections from unknown sources
- Authentication bypass on these devices grants immediate access to internal networks
- Ransomware operators prioritize VPN access as their preferred initial foothold
- Patching cadences for production VPN appliances are often slower than the threat demands
The SonicWall Gen6 campaign is the latest confirmation that VPN appliance security requires continuous verification, not one-time patching.
Recommendations
- Immediately verify SonicWall Gen6 firmware is at the latest available version — do not trust prior patch records
- Enable certificate-based authentication as a second factor beyond password + TOTP
- Review VPN logs for brute-force patterns and successful logins from unexpected sources
- Implement IP allowlisting where operationally feasible to limit exposure
- Consider network segmentation so that VPN-authenticated users cannot reach all internal resources by default
- Monitor endpoints reached via VPN for post-authentication lateral movement indicators
- Subscribe to SonicWall's security advisories via their PSIRT notification system
Sources
- BleepingComputer — Hackers bypass SonicWall VPN MFA due to incomplete patching
- SonicWall PSIRT Advisories