In Q3 2025, the Akira ransomware group launched a targeted exploitation campaign against organizations running SonicWall SSLVPN appliances, capitalizing not on a zero-day exploit, but on previously disclosed vulnerabilities – specifically CVE-2024-40766 – where remediation steps were either incomplete or misapplied. Multiple organizations – including Rapid7, SonicWall, and the Australian Cyber Security Centre (ACSC), have released alerts and guidance in response to this threat.
Severity Level: Critical
Vulnerability Details
- CVE: CVE-2024-40766
- CVSS Score: 9.3
- Type: Improper Access Control in SonicWall SSLVPN (CWE-284)
- Affected Devices: Gen 5, Gen 6, and Gen 7 SonicWall Firewalls running SonicOS 7.0.1-5035 and older versions
- Impact: Unauthorized SSLVPN access; possible device crash
- Status: Actively exploited in the wild
Threat Details
- Vendor Clarification: “This activity is not connected to a zero-day vulnerability, but rather tied to threat activity associated with the previously disclosed CVE-2024-40766.”
- Attack Flow: SSLVPN Access → Local Account Compromise → Privilege Escalation → Data Theft → Backup Wipe → Ransomware Encryption
- Akira ransomware operators are taking advantage of missteps in remediation and security control enforcement, not exploiting new or unknown vulnerabilities:
- Credential Persistence from Firewall Migrations: Passwords carried over from Gen6 to Gen7 devices were not reset, leaving accounts vulnerable.
- Unhardened LDAP SSLVPN Defaults: Default group mappings allowed unintended VPN access.
- Exposed web portals allowed threat actors to enroll TOTP/MFA with previously stolen credentials.
- Observed Campaign Activity:
- First Wave: August 2024
- Ongoing Activity: As of September 2025, incidents continue globally
- Impacted Regions: Australia, United States, EMEA
Recommendations
- Ensure all affected SonicWall appliances are running on the latest patch.
- Confirm remediation steps beyond patching:
Reset all local SSLVPN account passwords, especially those migrated from Gen 6 to Gen 7
Remove any default or unused accounts. - Enforce Multi-Factor Authentication (MFA/TOTP) on all SSLVPN accounts.
- Restrict or disable the Virtual Office Portal (port 4433) from public internet exposure; limit to trusted IPs or internal LAN only.
- Audit and remove SSLVPN Default LDAP Group mappings to ensure they do not grant unintended access.
- Monitor VPN traffic for unusual login attempts, brute force activity, or logins from anomalous geographies.
- SonicWall is observing increased threat activity from actors attempting to brute-force user credentials. To mitigate risk, customers should enable Botnet Filtering and Geo-IP Filtering to block known threat actors and ensure Account Lockout policies are enabled.
- Disable WAN management of SonicWall appliances unless absolutely necessary; if enabled, restrict to known trusted IPs only.
- Block the IOCs at their respective controls
https://www.virustotal.com/gui/collection/75a5f30fad277e985b4f268eb2b173d4c475b2d5b2fa1cd9ec3ce374fa343012/iocs
Source:
- https://www.rapid7.com/blog/post/dr-akira-ransomware-group-utilizing-sonicwall-devices-for-initial-access/
- https://www.sonicwall.com/support/notices/gen-7-and-newer-sonicwall-firewalls-sslvpn-recent-threat-activity/250804095336430
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015
- https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/ongoing-active-exploitation-of-sonicwall-ssl-vpns-in-australia
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.