A recently disclosed zero-day vulnerability in SonicWall VPN appliances has become a significant attack vector for threat actors targeting enterprises across North America. This vulnerability allows remote attackers to gain unauthorized access to networks, even when Multi-Factor Authentication (MFA) is in place.
A threat actor operating under the alias "ProfessorKliq" posted on a dark web forum, offering unauthorized VPN access to 11 organizations based in the United States and Canada. These accesses appear tied to the SonicWall zero-day.
Industry Sectors Targeted
The listing outlines access to companies operating in a wide array of industries:
- Manufacturing and Machinery
- Logistics and Supply Chain Services
- Construction and Architecture
- Financial Services
- Automotive Repair
- Chemical Production
The presence of companies from industrial, critical infrastructure, and engineering domains increases the potential for intellectual property theft, production disruption, and downstream supply chain compromise.
Why the SonicWall VPN Zero-Day Matters
SonicWall VPNs are commonly deployed across mid-sized organizations and public sector environments. This specific zero-day vulnerability allows an attacker to bypass authentication entirely, resulting in undetectable compromise unless proactive monitoring is in place.
- VPN appliances often lack deep logging or alerting integrations with SIEM systems.
- Domain user-level access, though limited at face value, can quickly lead to domain dominance without proper segmentation.
- Exploited VPN sessions frequently bypass endpoint protection due to originating from trusted infrastructure.
This is not just a firewall or VPN problem; it is a business risk issue. Access to internal networks is now a commodity on underground markets.
How Mjolnir Security Can Help
Mjolnir Security has been tracking these underground sales and the tactics used by threat actors like ProfessorKliq for years.
- Stormbreaker Mobile Defense Suite: Deploy Microsoft Intune with custom app protection policies to restrict device-level access, enforce secure VPN routing, and block unauthorized app installations.
- Dark Web Monitoring and Actor Attribution: We monitor underground forums for your brand, domains, VPN endpoints, and credentials with takedown coordination.
- Compromise Assessments Powered by THOR: Nextron THOR and internal threat-hunting frameworks to sweep your network for persistence mechanisms and malware beacons.
- VPN and Zero Trust Hardening: SIEM-based alerting, network segmentation, and VPN reconfiguration to detect and prevent abuse.
- 24/7 Incident Response and Forensics: Immediate DFIR support including triage, containment, forensic imaging, memory analysis, and breach reporting.
Next Steps for At-Risk Organizations
If your organization uses SonicWall VPN appliances, the time to act is now:
- Apply all relevant patches for the SonicWall zero-day vulnerability.
- Centralize and monitor VPN logs via your SIEM.
- Review all active VPN sessions and user authentications for anomalies.
- Engage a third party to run a compromise assessment or dark web exposure scan.
Access to internal networks is now a commodity. Threat actors like "ProfessorKliq" are monetizing VPN weaknesses in near-real time, offering access to corporate environments at scale. The attack surface has moved beyond endpoints — remote access platforms and misconfigured identity controls are now the primary targets.
Stay ahead of emerging threats. Get notified when we publish new intelligence reports and advisories.
Subscribe to Alerts