SonicWall Issues Emergency Advisory: Disable Your VPN Now!

The cybersecurity world has been shaken up again this week! This time, by a critical warning from SonicWall. A newly discovered zero-day vulnerability targeting SonicWall's Secure Mobile Access (SMA) and SSL VPN appliances is currently under active exploitation.

As an MSP serving the city of Laredo, we at Ghost Systems want to make sure our clients and readers understand the severity of the situation and know what steps to take immediately.

What’s Happening?

SonicWall has issued an emergency advisory urging all administrators to disable the SSL VPN feature on affected devices immediately. This comes in response to a wave of targeted attacks that exploit an unpatched vulnerability in SMA 100-series appliances. Threat actors are using this flaw to gain unauthorized access to networks, often with minimal effort.

The attacks appear to be automated and opportunistic, scanning for vulnerable devices exposed to the internet. Once compromised, attackers can deploy remote access malware, steal credentials, and potentially move laterally through your network.

Who Is Affected?

The primary target is SonicWall’s SMA 100-series devices, especially when SSL VPN is enabled. Organizations using these devices for remote access should assume they are at risk if the SSL VPN functionality is not disabled or properly patched.

Huntress, a threat detection firm, and our partner, has confirmed that attackers used various tools like Advanced_IP_Scanner, or other LOLBins, or built-in capabilities to enumerate various accounts or network information:

They have confirmed real-world exploitation on multiple accounts and are actively working with impacted organizations. They report that attackers are installing web shells and other backdoors after successful intrusions, making cleanup especially challenging.

In some cases, attackers decided to try to maintain persistence on some of these machines. They did this by adding accounts and enabling or installing remote tools such as AnyDesk. It is also reported that attackers are clearing event logs and can move through networks laterally by disabling various firewall settings and security software.

What Should You Do?

SonicWall has not yet released a permanent patch as of this blog. In the meantime, these steps must be followed:

// Disable SSL VPN functionality immediately on any exposed SMA 100-series device.

// Check logs for suspicious activity—especially logins from unusual IPs or user accounts.

// Isolate affected systems and perform a forensic review if compromise is suspected.

// Contact your MSP or security provider to assess your risk and apply compensating controls.

Our Recommendation at Ghost Systems

For local businesses who are unsure about their exposure, contact us immediately. We can help assess your environment, apply temporary mitigations, and assist in any necessary incident response. In the meantime, we strongly advise against waiting for a patch before acting. Disable VPN access now and look for updates from SonicWall in the coming days.