SonicWall Devices Targeted by Akira Ransomware Campaign

In Q3 2025, the Akira ransomware group launched a targeted exploitation campaign against organizations running SonicWall SSLVPN appliances, capitalizing not on a zero-day exploit, but on previously disclosed vulnerabilities – specifically CVE-2024-40766 – where remediation steps were either incomplete or misapplied. Multiple organizations – including Rapid7, SonicWall, and the Australian Cyber Security Centre (ACSC), have released alerts and guidance in response to this threat.

Severity Level: Critical

Vulnerability Details

• CVE: CVE-2024-40766
• CVSS Score: 9.3
• Type: Improper Access Control in SonicWall SSLVPN (CWE-284)
• Affected Devices: Gen 5, Gen 6, and Gen 7 SonicWall Firewalls running SonicOS 7.0.1-5035 and older versions
• Impact: Unauthorized SSLVPN access; possible device crash
• Status: Actively exploited in the wild

Threat Details

• Vendor Clarification: “This activity is not connected to a zero-day vulnerability, but rather tied to threat activity associated with the previously disclosed CVE-2024-40766.”
• Attack Flow: SSLVPN Access → Local Account Compromise → Privilege Escalation → Data Theft → Backup Wipe → Ransomware Encryption
• Akira ransomware operators are taking advantage of missteps in remediation and security control enforcement, not exploiting new or unknown vulnerabilities:
  • Credential Persistence from Firewall Migrations: Passwords carried over from Gen6 to Gen7 devices were not reset, leaving accounts vulnerable.
  • Unhardened LDAP SSLVPN Defaults: Default group mappings allowed unintended VPN access.
  • Exposed web portals allowed threat actors to enroll TOTP/MFA with previously stolen credentials.
• Observed Campaign Activity:
  • First Wave: August 2024
  • Ongoing Activity: As of September 2025, incidents continue globally
  • Impacted Regions: Australia, United States, EMEA

Recommendations

1. Ensure all affected SonicWall appliances are running on the latest patch.
2. Confirm remediation steps beyond patching:
   Reset all local SSLVPN account passwords, especially those migrated from Gen 6 to Gen 7
   Remove any default or unused accounts.
3. Enforce Multi-Factor Authentication (MFA/TOTP) on all SSLVPN accounts.
4. Restrict or disable the Virtual Office Portal (port 4433) from public internet exposure; limit to trusted IPs or internal LAN only.
5. Audit and remove SSLVPN Default LDAP Group mappings to ensure they do not grant unintended access.
6. Monitor VPN traffic for unusual login attempts, brute force activity, or logins from anomalous geographies.
7. SonicWall is observing increased threat activity from actors attempting to brute-force user credentials. To mitigate risk, customers should enable Botnet Filtering and Geo-IP Filtering to block known threat actors and ensure Account Lockout policies are enabled.
8. Disable WAN management of SonicWall appliances unless absolutely necessary; if enabled, restrict to known trusted IPs only.
9. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/75a5f30fad277e985b4f268eb2b173d4c475b2d5b2fa1cd9ec3ce374fa343012/iocs

Source:

• https://www.rapid7.com/blog/post/dr-akira-ransomware-group-utilizing-sonicwall-devices-for-initial-access/
• https://www.sonicwall.com/support/notices/gen-7-and-newer-sonicwall-firewalls-sslvpn-recent-threat-activity/250804095336430
• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015
• https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/ongoing-active-exploitation-of-sonicwall-ssl-vpns-in-australia

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.