Your VPN is the front door to your business, and right now attackers are kicking at it. Two of the firewall and VPN brands small businesses run most often, Palo Alto and SonicWall, are under sustained, active attack, including a freshly exploited flaw that bypasses login entirely.
This isn't one isolated bug. It's a pattern: the internet-facing appliances that are supposed to keep attackers out have become the way they get in. Here's what's happening, in plain language, and what a small business should actually do about it.
What's happening
On the Palo Alto side, the company is warning that a GlobalProtect VPN authentication bypass, tracked as CVE-2026-0257, is now being actively exploited. Security firm Rapid7 reported seeing real attacks against customers as far back as May 17, and the US cyber agency CISA ordered federal agencies to patch it by June 1, 2026. An authentication bypass is as bad as it sounds: it can let an attacker past the login without valid credentials.
On the SonicWall side, a ransomware crew known as Akira has spent months breaking into SonicWall SSL VPNs, largely through a year-old flaw (CVE-2024-40766) and harvested credentials, in some cases getting past multi-factor authentication. The speed is the scary part: in nearly every case, the attackers encrypted the victim's files in under four hours from first access, sometimes in as little as 55 minutes.
And the two brands are not unrelated targets. Threat-intelligence firm GreyNoise watched a single group hammer Palo Alto GlobalProtect portals with over 7,000 IP addresses in one day, then turn the same tooling on SonicWall systems the next. Attackers are systematically working through whatever VPN gateway your business happens to run.
Why it matters for a small business
It's tempting to read "VPN appliance" and assume this is an enterprise problem. The opposite is true:
- These are exactly the boxes small businesses run. Palo Alto and SonicWall firewalls sit in countless small and mid-sized offices, and they're internet-facing by design, so they're the first thing an attacker probes.
- "We have MFA" is no longer a guarantee. Both campaigns show attackers getting past logins and, in some SonicWall cases, past MFA. Controls still matter, but they have to be current and correctly configured.
- You won't have time to react. Encryption in under four hours means there is no leisurely window to notice and respond by hand; prevention and monitoring have to be in place before the knock.
What to do now
None of the fixes are exotic. They're the unglamorous basics, done promptly:
- Patch the appliance now. Check your vendor's advisories and apply the fixes (CVE-2026-0257 for Palo Alto GlobalProtect, CVE-2024-40766 for SonicWall). An internet-facing VPN is the last place to fall behind on updates.
- Re-verify MFA and reset credentials. Confirm MFA is on for every VPN account, and reset passwords after any firmware migration or patch, the SonicWall flaw lived in carried-over credentials.
- Shrink the target. Restrict who can even reach the VPN portal (by IP or geography where you can), and watch login activity for spikes.
- Assume you might be hit. Keep tested, offline backups and a simple incident plan, so a bad day stays an inconvenience rather than a closure.
The bigger shift
The deeper lesson isn't about one vendor. It's that the old model, a hardware VPN box exposed to the internet as your perimeter, is increasingly the weak point rather than the wall. The brand on the box matters less than whether it's patched, monitored, and locked down, and whether you have a plan for when it's targeted. Many growing businesses are moving toward modern, identity-based remote access that removes that single exposed front door entirely.