SonicWall firewalls targeted in ransomware attacks, possibly via zero-day

Attackers wielding the Akira ransomware and possibly a zero-day exploit have been spotted targeting SonicWall firewalls since July 15, 2025.

“In the intrusions reviewed, multiple pre-ransomware intrusions were observed within a short period of time, each involving VPN access through SonicWall SSL VPNs,” Arctic Wolf researchers have warned.

Though they haven’t yet ruled out the possibility of the attackers achieving initial access to the devices through brute force, dictionary attacks and credential stuffing, there is evidence that points to the existence and exploitation of a zero-day vulnerability.

“In some instances, fully patched SonicWall devices were affected following credential rotation. Despite [time-based one-time password] [multi-factor authentication] being enabled, accounts were still compromised in some instances,” they shared, and warned that the attackers move quickly: “a short interval was observed between initial SSL VPN account access and ransomware encryption.”

Arctic Wolf Labs researchers are still investigating this particular campaign. In the meantime, they have advised organizations to consider disabling the SonicWall SSL VPN service until there’s more clarity on whether the attackers are exploiting a zero-day and, if so, until a patch is made available and deployed.

They should also check for (and block) suspicious VPN logins originating from Virtual Private Server hosting providers. (The researchers have listed five of them.)

The Akira ransomware-as-a-service outfit strung up in early 2023, and has since managed to extort tens of millions of US dollars from its 250+ victims.

The group – or its affiliates – have a penchant for targeting internet-exposed edge and security devices developed by Cisco and SonicWall.

Also under attack: SonicWall SMA devices

This latest warning has landed a week after SonicWall urged customers to patch a newly uncovered vulnerability (CVE-2025-40599) affecting its Secure Mobile Access (SMA) 210, 410 or 500v appliances.

According to SonicWall, there is no evidence that CVE-2025-40599 – an authenticated file upload vulnerability – is being exploited by attackers. Still, the company advised organizations running those devices to check whether they’ve been compromised in an earlier attack campaign spotted and investigated by Google’s security experts.

The first step of that campaign may have started as early as January 2025, Google’s Threat Intelligence Group (GTIG) found, but they have yet to determine whether the attackers leveraged a zero-day vulnerability to install the persistent OVERSTEP rootkit/backdoor and/or deploy ransomware.

Last week, SonicWall published an urgent advisory with advice on how to remove the rootkit, upgrade/rebuild compromised devices, rotate credentials and reset OTP seeds/bindings. Google’s researchers have also updated their report with a new network indicator of compromise associated with this campaign.

UPDATE (August 4, 2025, 11:10 a.m. ET):

Huntress researchers have responded to similar incidents and say that “the speed and success of these attacks, even against environments with MFA enabled, strongly suggest a zero-day vulnerability is being exploited in the wild,” and that the threat actors are pivoting to domain controllers within hours of the initial breach.

Once they gain access to the network via a SonicWall appliance, the attackers are abusing privileged accounts, establishing a persistent backdoor into the network, steal credentials, disable defenses and, finally, they delete Volume Shadow Copies before deploying the Akira ransomware.

“We’ve currently had around 20 different attacks that are directly related to this particular set of events, with the first of these starting on July 25. Of these attacks, there are some similarities, but also some differences in how each attacker operated,” they shared.

“It is apparent that some of these attackers have at least part of the same playbook, or that they are adaptive to whatever situations they happen to encounter. Methodologies varied from utilizing tools brought in like Advanced_IP_Scanner, WinRAR, and FileZilla, to relying on various built-in tools (LOLBins), as well as installing various persistence mechanisms like new accounts, SSH, or full-blown RMMs like AnyDesk.”

Huntress has shared indicators of compromise and advised organizations to disable VPN access on the SonicWall firewall or restrict access to trusted IP addresses only.

They also advised auduing service accounts and hunting for malicious activity.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!