A suspected zero-day vulnerability in SonicWall firewall devices has led to a significant increase in ransomware attacks by the Akira ransomware group. The flaw allows attackers to gain initial access to corporate networks through SonicWall's SSL VPN feature, leading to subsequent ransomware deployment. The attackers have bypassed multi-factor authentication (MFA), indicating a sophisticated attack vector. The time between the initial VPN breach and the deployment of ransomware is short, giving victims little time to react. Arctic Wolf has recommended disabling the SonicWall SSL VPN service immediately until an official patch is developed and deployed.
Source: https://cybersecuritynews.com/sonicwall-firewall-akira-ransomware/
TPRM report: https://scoringcyber.rankiteo.com/company/sonicwall
"id": "son517080325",
"linkid": "sonicwall",
"type": "Ransomware",
"date": "8/2025",
"severity": "100",
"impact": "",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Cybersecurity',
'name': 'SonicWall',
'type': 'Technology Company'}],
'attack_vector': ['Zero-Day Exploit', 'Compromised Credentials'],
'date_detected': '2025-07-15',
'description': 'A suspected zero-day vulnerability in SonicWall firewall '
'devices that the Akira ransomware group is actively '
'exploiting. The flaw allows attackers to gain initial access '
'to corporate networks through SonicWall’s SSL VPN feature, '
'leading to subsequent ransomware deployment.',
'impact': {'systems_affected': 'SonicWall Firewall Devices'},
'initial_access_broker': {'backdoors_established': 'OVERSTEP',
'entry_point': 'SonicWall SSL VPN',
'reconnaissance_period': 'From at least October '
'2024'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Importance of disabling potentially vulnerable services '
'and hardening firewall security',
'motivation': 'Financial Gain',
'post_incident_analysis': {'corrective_actions': 'Disable SonicWall SSL VPN '
'service, enable security '
'services, enforce MFA, '
'practice good password '
'hygiene, remove inactive '
'user accounts, block '
'suspicious VPN '
'authentication attempts',
'root_causes': 'Zero-day vulnerability in '
'SonicWall SSL VPN'},
'ransomware': {'ransomware_strain': 'Akira'},
'recommendations': ['Disable SonicWall SSL VPN service',
'Enable Botnet Protection',
'Enforce MFA on all remote access accounts',
'Practice good password hygiene',
'Remove inactive or unused local user accounts',
'Block VPN authentication attempts from specific ASNs'],
'references': [{'source': 'Arctic Wolf Labs'}],
'response': {'containment_measures': 'Disable SonicWall SSL VPN service',
'remediation_measures': ['Enable Botnet Protection',
'Enforce MFA on all remote access '
'accounts',
'Practice good password hygiene',
'Remove inactive or unused local user '
'accounts',
'Block VPN authentication attempts from '
'specific ASNs']},
'threat_actor': 'Akira Ransomware Group',
'title': 'Zero-Day Vulnerability in SonicWall Firewall Devices Exploited by '
'Akira Ransomware Group',
'type': 'Ransomware',
'vulnerability_exploited': 'Zero-Day Vulnerability in SonicWall SSL VPN'}