DigitalXRAID

Uptick in Akira Ransomware Activity Exploiting Suspected SonicWall VPN Zero-Day Vulnerability 

Threat Intelligence from DigitalXRAID’s Security Operations Centre analysts: 

DigitalXRAID’s SOC analysts are urgently advising customers of a new wave of ransomware attacks linked to suspected exploitation of SonicWall SSL VPN devices. Evidence suggests threat actors associated with the Akira ransomware group may be leveraging an unpatched zero-day vulnerability to gain initial access, bypassing standard authentication controls, including multi-factor authentication. 

Read more about the CVE detail here: CVE-2025-406600 

The CVSS (Common Vulnerability Scoring System) Severity Score (v3) has been rated as: 9.8 – Critical.  

Between 15 July and early August 2025, analysts observed a sharp rise in malicious VPN logins targeting fully patched SonicWall appliances. In several confirmed cases, these logins led to ransomware deployment shortly after initial access was achieved. 

In some incidents, attackers gained access despite MFA being enabled and passwords having recently been rotated, raising serious concerns of a possible zero-day vulnerability. This bypass behaviour has been consistent across multiple victim environments, where traditional brute-force or credential stuffing attacks do not appear to be the root cause. 

Once access is gained via the SSL VPN, threat actors are using Virtual Private Servers (VPS) to mask their activity. These VPS logins contrast with typical user behaviour, which originates from standard broadband IP ranges. 

Attackers have been observed conducting rapid post-login activity to move laterally, establish persistence, and deploy Akira ransomware. This pattern of “pre-ransomware intrusion” reinforces the need for immediate threat hunting and enhanced monitoring of VPN endpoints. 

New developments from SonicWall and external investigations

SonicWall has confirmed that it is actively investigating a recent surge in attacks impacting multiple Gen 7 firewall models running various firmware versions with SSL VPN enabled. In a public statement, the vendor advised all customers to immediately disable SSL VPN services “where practical” and to follow a comprehensive list of additional mitigations.

SonicWall stated: “If a new vulnerability is confirmed, we will release updated firmware and guidance as quickly as possible.”

The company’s alert came after researchers identified successful intrusions even in environments where MFA was enabled, and credentials had recently been rotated, strongly suggesting a zero-day exploit. The attacks are believed to affect firmware versions 7.2.0-7015 and earlier.

To mitigate exposure, SonicWall has advised organisations to:

  • Limit SSL VPN access to trusted source IPs
  • Enable built-in protections such as botnet defence and geo-IP filtering
  • Remove all unused or inactive user accounts
  • Practice good password hygiene, including eliminating reuse of stolen credentials

The nature of the compromise involves rapid takeover of privileged accounts, lateral movement, disabling of security tooling, and deployment of ransomware payloads. Akira ransomware continues to be the final-stage malware in these incidents.

Edge devices remain a prime target for sophisticated cybercriminals. Security researchers have highlighted the evolving technical capabilities of ransomware operators, some of which now rival nation-state actors in their exploitation techniques, which has been enabled largely by access to substantial illicit profits reinvested into tooling and reconnaissance.

Separately, SonicWall recently issued an urgent advisory addressing critical vulnerabilities in its SMA 100 Series appliances. These appear to be part of a distinct campaign unrelated to the current Gen 7 firewall exploitation but further illustrate the attractiveness of SonicWall products as initial access targets.

Mitigation Guidance: 

If your organisation uses SonicWall SSL VPN devices, DigitalXRAID recommends the following immediate actions: 

  • Enable log monitoring and analysis to detect anomalous VPN login attempts, ideally through a Managed Detection and Response (MDR) service such as DigitalXRAID’s 24/7 SOC 
  • Enforce MFA for all remote access users, but recognise this control may be bypassed in this specific threat scenario 
  • Review and remove unused firewall user accounts, especially those with remote access permissions 
  • Consider disabling SonicWall SSL VPN services until a confirmed patch is released or the root cause is verified 
  • Enable security features such as botnet protection and IP reputation filtering on SonicWall devices 
  • Review and block suspicious Autonomous System Numbers (ASNs) and CIDR ranges associated with VPS providers used in observed attacks 
  • Enforce strict password policies, and encourage regular credential updates across all users 
  • Correlate VPN logins with user locations and behaviour baselines to detect suspicious activity 

This threat highlights the critical risk posed by edge devices that are internet-facing but often sit outside of EDR coverage. VPNs, firewalls, and similar systems are high-value targets and must be included in continuous security monitoring and threat detection processes. 

DigitalXRAID’s Threat Intelligence specialists are working in real-time with our partners and SonicWall’s public advisories to monitor the evolving threat landscape. Customers are advised to treat this as an active threat and remain in a heightened state of alert until further notice. 

If a SonicWall patch is issued, customers should apply it immediately and revalidate user access policies and device configurations. Where possible, replace internet-facing SSL VPN endpoints with more secure, monitored access gateways. 

If you need any further guidance on this, please contact DigitalXRAID’s Security Operations Centre analysts. We’re here to support you. 

If you discover that you’ve suffered a breach as a result of this or any other vulnerability, and need help urgently, get in contact with us. You can call our emergency line on 0800 066 4509 to speak to one of our experts. They’re available 24 hours a day, 7 days a week.  

Bookmark this page in case you ever need us. 

Previous Article

Most Common Types of Cyber Attacks

Next Article

Microsoft Sentinel Data Lake

Protect Your Business & Your Reputation.

With a continued focus on security, you can rest assured that breaches and exploits won't be holding you back.

Speak To An Expert

cybersecurity experts
x

Get In Touch

[contact-form-7 id="5" title="Contact Us Form"]
DigitalXRAID
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.