Update: This post was updated on August 7, 2025, to reflect corrected information regarding this threat.
An Akira ransomware campaign is specifically targeting SonicWall SSL VPN devices. Attackers are actively exploiting these vulnerabilities to gain unauthorized access to corporate networks. Review the details in this Cybersecurity Threat Advisory to learn more and see recommended steps to protect your network.
What is the threat?
Recent activity targeting SonicWall SSL VPN appliances was initially thought to involve a zero-day vulnerability. However, SonicWall has confirmed with high confidence that the incidents are linked to CVE-2024-40766, a critical flaw (CVSS 9.6) disclosed in August 2024 that enables attackers to hijack sessions and gain VPN access.
The Akira ransomware group has been exploiting this vulnerability in a targeted campaign that began around July 15, 2025, and continues to intensify. According to SonicWall, the attacks primarily affect systems that failed to implement recommended mitigations during the migration from Gen 6 to Gen 7 firewalls, particularly those that retained local user passwords without resetting them, creating exploitable gaps in access control.
Once inside, attackers bypass multi-factor authentication, escalate privileges, and deploy ransomware, locking systems and disrupting operations.
Why is it noteworthy?
This campaign is sophisticated, rapidly deployed, and easily scalable. Akira’s ability to bypass trusted security mechanisms, such as multi-factor authentication (MFA) and enterprise-grade VPN appliances, signals a troubling evolution in ransomware tactics.
While the vulnerability is not a zero-day, the lack of consistent mitigation during firewall migration has created widespread exposure. SonicWall SSL VPNs are used for secure remote access across sectors, making them high-value targets.
The absence of universal patching or password hygiene during migration has amplified the threat. Organizations must act quickly to implement SonicWall’s recommended mitigations and reset any retained credentials.
What is the exposure or risk?
Organizations using SonicWall SSL VPNs, especially those that migrated from Gen 6 to Gen 7 without resetting local passwords, face an elevated risk of compromise. Once attackers gain access, they can:
- Move laterally across internal networks
- Exfiltrate sensitive data
- Disable security tools
- Deploy ransomware to encrypt files and disrupt operations
The financial and reputational damage from such an attack can be severe. If left unaddressed, this vulnerability could lead to widespread breaches, particularly in sectors that rely heavily on SonicWall for secure remote connectivity.
What are the recommendations?
Barracuda recommends the following actions to protect your environment against this threat:
- Update firmware to version 7.3.0 to implement improved defenses against brute force attacks.
- Reset passwords for all local user accounts with SSLVPN access, particularly those migrated from Gen 6 to Gen 7, to ensure credential integrity.
- Disable SonicWall SSL VPN, if possible, until a patch is released.
- Limit SSL VPN connections to trusted source IPs.
- Enable security services on your SonicWall devices such as “botnet protection” and “Geo-IP Filtering”.
- Enable MFA for all remove access connections.
- Enforce strong password policies.
- Perform an audit of all accounts and remove those that are no longer active.
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2025/08/akira-ransomware-exploits-sonicwall.html?m=1
- https://www.helpnetsecurity.com/2025/08/04/sonicwall-firewalls-ssl-vpn-ransomware-akira/
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
