SonicWall Firewall Devices 0-day Vulnerability Actively Exploited by Akira Ransomware

A suspected zero-day vulnerability in SonicWall firewall devices that the Akira ransomware group is actively exploiting. The flaw allows attackers to gain initial access to corporate networks through SonicWall’s SSL VPN feature, leading to subsequent ransomware deployment.

In late July 2025, security researchers observed a significant increase in ransomware attacks leveraging SonicWall devices. The evidence strongly points to a zero-day exploit, as intrusions were successful even on fully patched firewalls.

In some cases, attackers bypassed multi-factor authentication (MFA), indicating a sophisticated attack vector that circumvents standard security measures.

The recent surge in activity, which began as early as July 15, 2025, has been attributed to the Akira ransomware gang. This group has been observed using compromised credentials to log into SonicWall SSL VPNs, often from IP addresses associated with Virtual Private Server (VPS) hosting providers rather than typical residential or business internet services.

The time between the initial VPN breach and the deployment of ransomware is notably short, giving victims little time to react. While malicious VPN logins have been observed since at least October 2024, the latest campaign shows a marked escalation.

Given the high likelihood of an unpatched vulnerability, Arctic Wolf has issued a primary recommendation for organizations to disable the SonicWall SSL VPN service immediately until an official patch is developed and deployed. This drastic step is advised to prevent initial access and subsequent network compromise.

In addition to this critical measure, security experts have reiterated general best practices for hardening firewall security. SonicWall recommends enabling security services like Botnet Protection, enforcing MFA on all remote access accounts, and practicing good password hygiene with periodic updates.

Furthermore, administrators are advised to remove any inactive or unused local user accounts, particularly those with VPN access, to reduce the attack surface.

Organizations are also encouraged to block VPN authentication attempts originating from a list of specific hosting-related Autonomous System Numbers (ASNs) that have been associated with this malicious campaign.

While these networks are not inherently malicious, their use for VPN authentication is highly suspicious in this context.

Arctic Wolf Labs is continuing its investigation into the campaign and will share further details as they become available. In the meantime, organizations using SonicWall firewalls are urged to review their security posture and take immediate action to mitigate this active threat.

SonicWall’s end-of-life appliances from the SMA 100 series are once again highlighted after investigators uncovered a covert campaign that combines a suspected zero-day remote-code-execution vulnerability with a sophisticated backdoor known as OVERSTEP.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches