SonicWall Probes Potential Zero-Day Vulnerability Amid Akira Ransomware Surge
SonicWall is investigating a possible zero-day vulnerability following a spike in Akira ransomware attacks targeting Gen 7 firewalls with SSLVPN enabled.
TL;DR
SonicWall is investigating a potential zero-day vulnerability after a surge in Akira ransomware attacks on Gen 7 firewalls with SSLVPN enabled. The company is collaborating with external researchers to determine the cause and recommend mitigation steps.
Main Content
SonicWall Probes Potential Zero-Day Vulnerability After Akira Ransomware Surge
SonicWall is actively investigating a potential zero-day vulnerability following a surge in Akira ransomware attacks targeting Gen 7 firewalls with SSLVPN enabled. The company aims to determine if these incidents are due to a previously known flaw or a new vulnerability.
In a recent statement, SonicWall reported a notable increase in cyber incidents involving Gen 7 firewalls with SSLVPN enabled over the past 72 hours. This includes threat activity highlighted by third-party cybersecurity research teams such as:
- Arctic Wolf
- Google Mandiant
- Huntress
SonicWall is collaborating with external threat researchers and keeping partners and customers informed. The vendor has announced that it will release fixes if a new vulnerability is confirmed.
Researchers at Arctic Wolf Labs recently reported that Akira ransomware is exploiting SonicWall SSL VPNs in likely zero-day attacks, targeting even fully patched devices. Arctic Wolf Labs observed multiple intrusions via VPN access in late July 2025, suggesting a zero-day vulnerability in SonicWall VPNs. Fully patched devices with MFA and rotated credentials were compromised in some attacks.
“While credential access through brute force, dictionary attacks, and credential stuffing have not been definitively ruled out in all cases, available evidence points to the existence of a zero-day vulnerability.” - Arctic Wolf Labs Report
Ransomware activity targeting SonicWall SSL VPNs surged from July 15, 2025, with similar cases dating back to October 2024. Attackers often used VPS hosting for VPN logins, unlike legitimate access from ISPs. Arctic Wolf observed short delays between access and encryption and is applying its own recommended defenses internally.
“In contrast with legitimate VPN logins which typically originate from networks operated by broadband internet service providers, ransomware groups often use Virtual Private Server hosting for VPN authentication in compromised environments.” - Arctic Wolf Labs Report
Organizations are recommended to consider disabling the SonicWall SSL VPN service until a patch is available and deployed.
SonicWall advises enabling security services like Botnet Protection, enforcing MFA for all remote access, and removing unused firewall accounts. Regular password updates and limiting exposure to malicious VPN logins by blocking VPN authentication from hosting-related ASNs are also recommended. These steps help improve security but may not fully prevent the described threat.
Gen 7 firewall users are urged to apply key mitigations immediately. Recommended actions include disabling SSLVPN where possible, restricting access to trusted IPs, enabling security services like Botnet Protection and Geo-IP Filtering, enforcing MFA, removing unused accounts, and maintaining strong password practices.
The Akira ransomware has been active since March 2023, targeting multiple industries, including education, finance, and real estate. The group has developed a Linux encryptor to target VMware ESXi servers.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, SonicWall)
For more details, visit the full article: source
Conclusion
SonicWall’s investigation into the potential zero-day vulnerability underscores the ongoing threat of ransomware attacks. Organizations must remain vigilant and proactive in their cybersecurity measures to protect against such threats.