Cybercriminals are exploiting a new, unseen vulnerability in SonicWall VPNs, mounting ransomware attacks
In the past few weeks, SonicWall SSL VPN devices, particularly Gen 7 firewalls, have been targeted by the Akira ransomware group. Initial reports suggested a possible zero-day vulnerability, but further investigation has revealed a different story.
The attacks, which began around July 15, 2025, have been linked to the exploitation of a previously disclosed vulnerability, CVE-2024-40766, and issues stemming from legacy credential reuse during migration from Gen 6 to Gen 7 devices. SonicWall has confirmed fewer than 40 confirmed incidents, most of which are attributed to credential reuse rather than a new vulnerability.
The Akira ransomware group, active since early 2023, is known for targeting internet-facing security devices such as Cisco and SonicWall. The group's modus operandi involves gaining an initial foothold through compromised VPN credentials and exposed services. Once they have access, they deploy the ransomware quickly, creating a short interval between initial SSL VPN account access and ransomware encryption.
The FBI and CISA have issued warnings about Akira's activity, advising organizations to take immediate action. Here are some steps businesses can take to protect themselves:
- Enforce Multifactor Authentication (MFA): Until SonicWall provides a patch or explanation, businesses using these VPNs are advised to enforce MFA. This adds an extra layer of security to your accounts, making it harder for attackers to gain access.
- Disable SSL VPN Services: Where possible, disable SSL VPN services and restrict access to trusted IPs. This reduces the attack surface and makes it harder for attackers to gain access.
- Enable Botnet and Geo-IP Protections: Enable botnet and geo-IP protections to block malicious traffic and IP addresses.
- Remove Inactive Accounts: Delete inactive and unused firewall accounts. These can provide a backdoor for attackers, so removing them reduces the risk.
- Update Passwords Regularly: Use fresh, strong, and unique passwords for your SonicWall SSL VPNs. Regular updates make it harder for attackers to guess your password.
- Monitor Logs: Regularly monitor logs for suspicious VPN access from VPS providers. This can help you detect and respond to attacks more quickly.
It's important to note that the Akira ransomware group is known for dismantling backups to hinder recovery. So, even if you manage to stop the ransomware, you may still lose valuable data if you don't have a reliable backup system in place.
In conclusion, while early reports raised alarms about a zero-day, evidence and vendor investigation point to legacy credential issues and a known vulnerability being exploited to enable Akira ransomware attacks on SonicWall SSL VPN devices. Organizations are urged to apply these mitigations immediately and monitor logs for suspicious VPN access from VPS providers. Researchers continue to investigate and provide updates as they become available.
Cybersecurity experts are advising organizations using SonicWall SSL VPN devices to strengthen their technology defenses, as the Akira ransomware group has been exploiting a previously disclosed vulnerability, CVE-2024-40766, and issues stemming from legacy credential reuse during migration from Gen 6 to Gen 7 devices. In the realm of general-news and crime-and-justice, the FBI and CISA have issued warnings about Akira's activity and outlined steps businesses can take to protect themselves, such as enabling multifactor authentication (MFA), disabling SSL VPN services, and regularly monitoring logs for suspicious VPN access from VPS providers. These measures aim to reduce the risk of cyberattacks and ensure the continued security of valuable data.
