What happened
Security researchers have detailed a malware campaign in which attackers are chaining a SonicWall SSLVPN exploit with an EDR-killer component to disable endpoint defenses on compromised hosts. According to the report, threat actors have been scanning for internet-exposed SonicWall SSLVPN endpoints that remain unpatched for known vulnerabilities, using those access points to deliver a malicious payload to internal systems after authentication bypass. The delivered malware includes a module specifically designed to terminate and disable common Endpoint Detection and Response (EDR) products, clearing logs and blocking remediation tooling before executing secondary stages such as credential theft and persistent backdoor deployment. Analysis shows that the attackers leverage the compromised VPN access to move laterally into affected environments and systematically weaken host security controls to ensure long-term footholds.
Who is affected
Organizations running vulnerable SonicWall SSLVPN appliances that are internet-exposed and unpatched are affected, as attackers can use the exploit chain to gain initial access and then deploy an EDR-killer payload on internal endpoints.
Why CISOs should care
The combination of appliance exploitation with subsequent suppression of endpoint defenses increases risk by not only providing initial access but also eroding detection and response capabilities once inside, complicating containment and remediation.
3 practical actions
- Patch SonicWall SSLVPN systems. Update appliances to address the known vulnerabilities enabling initial access.
- Monitor endpoint defense status. Detect and alert on unexpected EDR service termination or disabling.
- Audit lateral movement activity. Review internal logs for suspicious connections following SSLVPN access.