No items found.

August 6, 2025

Minutes Read

A Likely Zero-Day Vulnerability in SonicWall SSL-VPN Exploited by Akira Ransomware Group

Research

Security Advisory

Threat Research

Ransomware

August 6, 2025

Minutes Read

A Likely Zero-Day Vulnerability in SonicWall SSL-VPN Exploited by Akira Ransomware Group

This is some text inside of a div block.

Minutes Read

Kudelski Security Team

Find out more

table of contents

Share on

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

Update

SonicWall has clarified that the recent cyber activity affecting Gen 7 firewalls with SSL-VPN enabled is not the result of a zero-day vulnerability, but is instead linked to CVE-2024-40766. This is an improper access control vulnerability first disclosed in August 2024. This flaw affects the SonicOS management interface and SSL-VPN components, and under certain conditions, can lead to unauthorized resource access. The issue was originally addressed in SonicWall advisory SNWLID-2024-0015.
According to SonicWall and corroborating incident response data, many affected deployments involve migrations from Gen 6 to Gen 7 firewalls where local user accounts and passwords were imported without being reset. These legacy credentials, combined with suboptimal configuration hardening, created conditions susceptible to credential-based attacks, including brute-force and MFA bypass attempts.

SonicWall is urging customers who have migrated configurations from Gen 6 appliances to:

Upgrade to SonicOS firmware version 7.3.0 or later, which includes enhanced protections against credential attacks
Reset all local user account passwords for any users with SSL-VPN access
Audit and harden SSL-VPN configurations, especially those exposing local accounts inherited from previous generations

Environments not yet upgraded to SonicOS 7.3 remain more vulnerable, as they lack recent mitigations that improve authentication hardening and brute-force resistance.

Summary

In late July 2025, the Cyber Fusion Center (CFC) observed and investigated multiple incident response engagements involving network intrusions traced to SonicWall SSL-VPN devices, followed shortly by ransomware deployment. These attacks are attributed to the Akira ransomware group, whose affiliates are actively exploiting CVE-2024-40766 in SonicWall’s VPN/firewall appliances. The vulnerability enables attackers to gain initial access even on fully-patched devices and despite multi-factor authentication (MFA), effectively bypassing usual login protections.

Confirmed intrusions have been reported across organizations in North America and Europe. Once the SonicWall device is compromised, the threat actors rapidly pivot to internal networks where they steal credentials, disable security tools, and ultimately execute Akira ransomware to encrypt systems. These findings are based on direct forensic evidence collected and analyzed during active incident response operations led by the CFC across multiple victim environments. No official patch is currently available, and SonicWall has not yet publicly disclosed full technical details. At the moment, the only way to avoid the impact at this time is to disable the SSL-VPN service until a patch is available.

UDPATE: The surge of attacks is linked to CVE-2024-40766.

Affected Systems and Applications

Current evidence indicates that the exploitation is limited to SonicWall Gen 7 firewalls, specifically TZ and NSa-series models, with SSL-VPN enabled.

Confirmed Affected

SonicWall Gen 7 TZ and NSa-series firewalls

Firmware versions 7.2.0-7015 and earlier
Devices with SSL-VPN services exposed to the internet

All seventh-generation SonicWall firewalls running SonicOS (e.g. TZ and NSa models) with SSL-VPN enabled are at risk. Huntress confirms the suspected vulnerability exists in firmware versions 7.2.0-7015 and earlier. Environments with these devices exposed to the internet for VPN access are the primary targets.

SonicWall SMA

SonicWall SMA series remote access devices (which provide SSL-VPN functionality) have also been implicated in the observed incidents. Both traditional firewalls and SMA VPN appliances are being targeted in similar ways.

Potentially Affected (Under Investigation)

Other Gen 7 SonicWall firewalls with SSL-VPN enabled
Any configurations exposing the SSL-VPN interface to untrusted networks

There are no current indications that SMA 100-series appliances or Gen 6 models are affected. However, organizations using any SonicWall appliance with SSL-VPN enabled should perform proactive threat hunting and consider disabling VPN exposure until more is known.

Technical Details

The attack begins with a direct compromise of the SonicWall appliance itself. The threat actor gains unauthenticated access to the firewall, bypassing both login and multi-factor authentication (MFA) mechanisms. This provides the adversary with a foothold inside the network perimeter via the exposed VPN service. Indicators strongly suggest a novel flaw: multiple incidents involved fully-patched SonicWall devices being breached and MFA controls rendered ineffective. (While brute-force or stolen credentials were considered, many victims had recently rotated credentials, and some attacks progressed even with MFA, pointing to a sophisticated exploit.) In each case, the attacker gains unauthorized VPN access to the network via the SonicWall appliance as the entry point.

Once access is established, the Akira ransomware group executes a structured, multi-stage operation:

Initial Access

Compromise of the SonicWall SSL-VPN appliance: The attacker breaches the SonicWall device via the suspected zero-day, effectively taking control of the appliance or extracting valid VPN session credentials. This provides a foothold on the internal network.

Privilege Escalation via Internal Accounts

The threat actors elevate privileges by abusing credentials stored on or used by the SonicWall. In many cases, the firewall had an over-privileged domain account (e.g. an LDAP service account for directory integration) which the attackers hijack. Accounts such as “sonicwall” or “LDAPAdmin” tied to the device were leveraged to gain Domain Admin-level access in the victim environment.

Command and Control & Persistence

Deployment of Cloudflared tunnels and OpenSSH giving the attacker persistent C2 access.
Installation of RMMs such as AnyDesk, ScreenConneet and SSH.
Creation and Configuration of new user accounts.

By installing a Cloudflared tunnel and an SSH backdoor, the threat actors ensure continued clandestine access even if the VPN hole is later closed.

Lateral Movement & Credentials Dumping

Use of WMI and Powershell Remoting to move across the network.
Enumeration of network topology, assets, and privileges.
Dumping and decrypting credentials.

Armed with high privileges, the threat actors expand across the network. They utilize a mix of “living off the land” techniques and custom tools to map out and dominate the environment.

Defense Evasion

Disabling security tools prior to ransomware deployment. Techniques include:

Set-MpPreference to disable Windows Defender.
netsh.exe to disable the firewall or add new firewall rules.

The threat actors methodically disable security tools and logging to avoid detection. They use Windows utilities and commands to impair defenses.

Exfiltration & Ransomware Deployment

In several cases, the attackers prepared data for exfiltration prior to encryption. They were observed compressing files and sensitive data using tools like WinRAR (command-line usage to archive data), and in some instances using FTP tools (e.g., FileZilla’s command-line fzsftp.exe) to export stolen data.

Prepare data before exfiltration using compressing tools.
Deployment of the Akira ransomware payload.
Targeting of backup servers and recovery infrastructure to increase impact.

Mitigation & Recommendations

Update:

To ensure full protection and minimize exposure, the Cyber Fusion Center (CFC) recommends the following immediate actions:

Immediate Actions

Update firmware to version 7.3.0, which includes enhanced protections against brute force attacks and additional MFA controls. Further derails are in the Firmware update guide, listed in the References section
Reset all local user account passwords for any accounts with SSLVPN access, especially if they were carried over during migration from Gen 6 to Gen 7.
Continue applying the previously recommended best practices:
Enable Botnet Protection and Geo-IP Filtering.
Remove unused or inactive user accounts.
Enforce MFA and strong password policies.
As an immediate precaution, disable SonicWall SSL-VPN services entirely if your organization can operate without them (until a fix is applied). Where VPN access must remain, limit inbound connectivity to a whitelist of trusted IP ranges (e.g., your employees’ ISP ranges or known partners) so that the SonicWall VPN cannot be accessed by arbitrary internet hosts.

Proactive patches and hardening

Monitor SonicWall’s official advisory channels closely for any security updates or hotfixes addressing this issue. SonicWall has stated it will release updated firmware and guidance as soon as a vulnerability is confirmed. Plan to upgrade the SonicOS/SMA firmware immediately once a patch is available.
Ensure offline and immutable backups are in place and tested.

Detection and Hunting Measures

The CFC strongly recommends enabling verbose logging on SonicWall appliances (VPN, system, and authentication logs) and forwarding all logs to a centralized SIEM to support retrospective analysis and threat hunting, in accordance with the priorities defined in the log collection framework.
Use EDR across endpoints to monitor post-compromise activity.

What the Cyber Fusion Center is Doing

The CFC is currently

Continuing active threat hunting operations and support engagements in environments impacted by this SonicWall VPN exploitation.
Leveraging findings from recent IR cases to refine detection and response capabilities.
Monitoring SonicWall’s release of a patch or verified mitigation guidance.

The CFC will continue to monitor the situation and send an advisory update if needed. At the moment, the only way to avoid the impact at this time is to disable the SSL-VPN service until a patch is available.