SonicWall firewalls targeted in ransomware attacks, possibly via zero-day

Attackers wielding the Akira ransomware and possibly a zero-day exploit have been spotted targeting SonicWall firewalls since July 15, 2025.

“In the intrusions reviewed, multiple pre-ransomware intrusions were observed within a short period of time, each involving VPN access through SonicWall SSL VPNs,” Arctic Wolf researchers have warned.

Though they haven’t yet ruled out the possibility of the attackers achieving initial access to the devices through brute force, dictionary attacks and credential stuffing, there is evidence that points to the existence and exploitation of a zero-day vulnerability.

“In some instances, fully patched SonicWall devices were affected following credential rotation. Despite [time-based one-time password] [multi-factor authentication] being enabled, accounts were still compromised in some instances,” they shared, and warned that the attackers move quickly: “a short interval was observed between initial SSL VPN account access and ransomware encryption.”

Arctic Wolf Labs researchers are still investigating this particular campaign. In the meantime, they have advised organizations to consider disabling the SonicWall SSL VPN service until there’s more clarity on whether the attackers are exploiting a zero-day and, if so, until a patch is made available and deployed.

They should also check for (and block) suspicious VPN logins originating from Virtual Private Server hosting providers. (The researchers have listed five of them.)

The Akira ransomware-as-a-service outfit strung up in early 2023, and has since managed to extort tens of millions of US dollars from its 250+ victims.

The group – or its affiliates – have a penchant for targeting internet-exposed edge and security devices developed by Cisco and SonicWall.

Also under attack: SonicWall SMA devices

This latest warning has landed a week after SonicWall urged customers to patch a newly uncovered vulnerability (CVE-2025-40599) affecting its Secure Mobile Access (SMA) 210, 410 or 500v appliances.

According to SonicWall, there is no evidence that CVE-2025-40599 – an authenticated file upload vulnerability – is being exploited by attackers. Still, the company advised organizations running those devices to check whether they’ve been compromised in an earlier attack campaign spotted and investigated by Google’s security experts.

The first step of that campaign may have started as early as January 2025, Google’s Threat Intelligence Group (GTIG) found, but they have yet to determine whether the attackers leveraged a zero-day vulnerability to install the persistent OVERSTEP rootkit/backdoor and/or deploy ransomware.

Last week, SonicWall published an urgent advisory with advice on how to remove the rootkit, upgrade/rebuild compromised devices, rotate credentials and reset OTP seeds/bindings. Google’s researchers have also updated their report with a new network indicator of compromise associated with this campaign.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!