SonicWall has issued an urgent advisory (SNWLID-2025-0009) regarding a high-severity vulnerability in its SSLVPN Virtual Office interface. Tracked as CVE-2025-32818, this flaw allows unauthenticated attackers to remotely crash affected firewalls, leading to widespread network disruptions. With a CVSS v3 score of 7.5, the vulnerability impacts multiple firewall models across SonicWall’s Gen7 and TZ80 product lines1.
Executive Summary for Security Leaders
The vulnerability stems from a null pointer dereference (CWE-476) in the SSLVPN Virtual Office interface, enabling denial-of-service attacks without authentication. Affected organizations should prioritize patching, as no viable workarounds exist beyond disabling SSLVPN functionality. This flaw follows a pattern of SonicWall SSLVPN vulnerabilities being exploited in ransomware campaigns, including recent Akira ransomware incidents linked to CVE-2024-407662.
- CVSS Score: 7.5 (High)
- Attack Vector: Network-based, no authentication required
- Impact: Firewall crash leading to service disruption
- Affected Products: Gen7 and TZ80 series firewalls
- Mitigation: Immediate patching recommended
Technical Analysis
The vulnerability specifically affects the SSL-VPN service in SonicOS, where malformed requests can trigger a null pointer dereference. This occurs during the processing of certain authentication requests, causing the firewall service to crash. The flaw is particularly concerning because it requires no authentication and can be exploited remotely over the internet when SSLVPN services are exposed.
Affected firmware versions include:
| Product Line | Vulnerable Versions | Patched Versions |
|---|---|---|
| Gen7 Firewalls (TZ270-670, NSa 2700-6700, NSsp 10700-15700) | 7.1.1-7040 to 7.1.3-7015 | 7.2.0-7015+ |
| TZ80 Series | ≤8.0.0-8037 | 8.0.1-8017+ |
SonicWall has confirmed that successful exploitation results in complete firewall service disruption, requiring manual reboot of affected devices. While the vulnerability doesn’t permit arbitrary code execution, the service disruption can be weaponized as part of larger attack chains to bypass network security controls3.
Historical Context and Related Threats
This vulnerability follows a series of high-profile SonicWall SSLVPN flaws. Notably, CVE-2024-40766 (CVSS 9.3) was actively exploited by Akira ransomware groups in 2024, using compromised SSLVPN accounts for initial access4. Another critical auth bypass (CVE-2024-53704) saw widespread exploitation after public proof-of-concept code became available in February 20255.
The pattern of SSLVPN vulnerabilities being rapidly weaponized suggests organizations should treat this latest flaw with urgency. Attackers frequently chain such vulnerabilities with post-exploitation techniques like credential harvesting or lateral movement tools.
Detection and Mitigation
Organizations should immediately check their SonicWall firmware versions against the vulnerable ranges. The following steps are recommended:
- Apply the latest firmware updates from SonicWall
- Monitor for unexpected SSLVPN service restarts or crashes
- Review firewall logs for malformed authentication attempts
- Consider disabling SSLVPN if immediate patching isn’t feasible
- Implement multi-factor authentication for all VPN access
SonicWall has provided specific detection guidance in their advisory, including log entries that may indicate exploitation attempts. Network monitoring for repeated connection attempts to the SSLVPN service from single sources may also help identify potential attacks in progress.
Conclusion
The CVE-2025-32818 vulnerability represents a significant risk to organizations using affected SonicWall devices, particularly given the critical role firewalls play in network security. The lack of authentication requirements lowers the barrier for exploitation, making widespread attacks likely. Security teams should prioritize patching and consider the broader implications of SSLVPN vulnerabilities in their threat models.
This incident reinforces the need for robust patch management processes, especially for network perimeter devices. The historical context of SonicWall vulnerabilities being rapidly weaponized suggests organizations have limited time to respond before exploitation attempts become widespread.
References
- SonicWall Advisory (SNWLID-2025-0009), SonicWall PSIRT, 2025.
- “Arctic Wolf Observes Akira Ransomware Campaign Targeting SonicWall SSLVPN Accounts”, Arctic Wolf, 2024.
- “SonicWall SSLVPN Flaw Allows Hackers to Crash Firewalls Remotely”, GBHackers, 2025.
- “SonicWall Firewall Bug Leveraged in Attacks After PoC Exploit Release”, BleepingComputer, 2025.
- “SonicWall Firewalls Under Attack: Patch Now”, The Register, 2025.
- “SonicWall SSLVPN Vulnerability: Technical Breakdown”, CybersecurityNews, 2025.
- “Critical SonicWall SSLVPN Vulnerability Actively Exploited”, HelpNetSecurity, 2024.
- “SonicWall SMA RCE Vulnerability Under Active Exploitation in 2025”, SecureBlink, 2025.
