Akira Ransomware is actively exploiting a zero-day vulnerability in SonicWall Firewall devices.

A suspected zero-day vulnerability in SonicWall firewall devices is currently being exploited by the Akira ransomware group. This flaw enables attackers to gain initial access to corporate networks via SonicWall’s SSL VPN feature, facilitating subsequent ransomware deployment. Security researchers noted a significant uptick in ransomware attacks leveraging SonicWall devices in late July 2025. Evidence strongly indicates a zero-day exploit, as intrusions were successful even on fully patched firewalls. In some instances, attackers managed to bypass multi-factor authentication (MFA), showcasing a sophisticated attack vector that circumvents standard security measures. The surge in activity, which began as early as July 15, 2025, has been linked to the Akira ransomware gang, which has been observed using compromised credentials to access SonicWall SSL VPNs from IP addresses associated with Virtual Private Server (VPS) hosting providers. The time between the initial VPN breach and ransomware deployment is notably short, leaving victims with little time to react.

In light of this critical situation, Arctic Wolf has recommended that organisations disable the SonicWall SSL VPN service immediately until an official patch is released. This drastic measure aims to prevent initial access and subsequent network compromise. Security experts have reiterated best practices for hardening firewall security, including enabling security services like Botnet Protection and enforcing MFA on all remote access accounts. Additionally, organisations are advised to practice good password hygiene and remove any inactive or unused local user accounts, particularly those with VPN access, to reduce the attack surface. They are also encouraged to block VPN authentication attempts from specific hosting-related Autonomous System Numbers (ASNs) associated with this malicious campaign. While these networks are not inherently malicious, their use for VPN authentication raises suspicions. Arctic Wolf Labs continues to investigate the campaign and will provide further updates as they become available. Meanwhile, organisations using SonicWall firewalls should review their security posture and take immediate action to mitigate this active threat. SonicWall’s end-of-life appliances from the SMA 100 series have also been highlighted, following the discovery of a covert campaign that combines a suspected zero-day remote-code-execution vulnerability with a sophisticated backdoor known as OVERSTEP. Integrating ANY.RUN TI Lookup can further enhance threat detection and response capabilities for organisations facing this escalating risk.