SonicWall Investigates Possible Zero-Day Amid Akira Ransomware Surge
SonicWall is probing a potential new zero-day after a surge in Akira ransomware attacks targeting Gen 7 firewalls with SSLVPN enabled. The company is working to determine if the incidents stem from an existing flaw or a newly discovered vulnerability.
The situation came to light when third-party cybersecurity research teams highlighted threat activity involving Gen 7 SonicWall firewalls where SSLVPN is enabled. SonicWall is actively investigating these incidents, collaborating with external threat researchers, and keeping partners and customers informed.
Arctic Wolf Labs Researchers Identify Zero-Day Vulnerability in SonicWall VPNs
Arctic Wolf Labs researchers recently reported that Akira ransomware is exploiting SonicWall SSL VPNs in a likely zero-day attack, targeting even fully patched devices. The attackers often used VPS hosting for VPN logins, unlike legitimate access from ISPs.
According to the report published by Arctic Wolf Labs, evidence suggests a likely zero-day vulnerability in SonicWall VPNs. Fully patched devices with MFA and rotated credentials were still compromised in some attacks. "While credential access through brute force, dictionary attacks, and credential stuffing have not yet been definitively ruled out in all cases, available evidence points to the existence of a zero-day vulnerability," reads the report.
Ransomware Activity Targeting SonicWall SSL VPNs Surged
Ransomware activity targeting SonicWall SSL VPNs surged from July 15, 2025, with similar cases dating back to October 2024. Attackers often used VPS hosting for VPN logins, unlike legitimate access from ISPs.
Arctic Wolf observed short delays between access and encryption and is applying its own recommended defenses internally. "In contrast with legitimate VPN logins which typically originate from networks operated by broadband internet service providers, ransomware groups often use Virtual Private Server hosting for VPN authentication in compromised environments," continues the report.
SonicWall Offers Recommendations to Mitigate the Threat
SonicWall advises enabling security services like Botnet Protection, enforcing MFA for all remote access, and removing unused firewall accounts. The experts recommend regular password updates. To limit exposure to malicious VPN logins, organizations should consider blocking VPN authentication from hosting-related ASNs.
These steps aim to reduce risk while SonicWall continues its investigation. Recommended actions include disabling SSLVPN where possible, restricting access to trusted IPs, enabling security services like Botnet Protection and Geo-IP Filtering, enforcing MFA (though it may not fully prevent the threat), removing unused accounts, especially those with SSLVPN access, and maintaining strong password practices.
The Akira Ransomware Gang: A Growing Threat
The Akira ransomware has been active since March 2023, and the threat actors behind the malware have hacked multiple organizations in multiple industries, including education, finance, and real estate.
Like other ransomware gangs, the group has developed a Linux encryptor to target VMware ESXi servers. Cybersecurity firm Huntress detected about 20 attacks since July 25, 2025, using tools like AnyDesk, ScreenConnect, and SSH.
Huntress Investigation Finds Suspected Vulnerability in Firmware Versions 7.2.0-7015 and Earlier
"During our investigation into telemetry related to this activity, we've found evidence to suggest that this compromise may be limited to TZ and NSa-series SonicWall firewalls with SSLVPN enabled. We can confirm that the suspected vulnerability exists in firmware versions 7.2.0-7015 and earlier," reads the report published by Huntress.
"We've currently had around 20 different attacks that are directly related to this particular set of events, with the first of these starting on July 25. Of these attacks, there are some similarities, but also some differences in how each attacker operated. It is apparent that some of these attackers have at least part of the same playbook, or that they are adaptive to whatever situations they happen to encounter."