Threat Insight
Akira Ransomware Exploiting Potential Zero-Day in SonicWall SSL VPN
Since July this year, Arctic Wolf[1] observed an increase in ransomware activity targeting SonicWall firewall devices for initial access.
Artic Wolf also suggest that the attacks could be exploiting an undetermined security flaw in the appliances, meaning a Zero-Day vulnerability, given that some of the incidents affected SonicWall devices which were fully patched.
The latest surge in ransomware incidents targeting SonicWall SSL VPNs appears to have started around July 15, 2025, although traces of similar unauthorized VPN logins date back as early as October 2024. Consistent with the ransomware patterns identified in Arctic Wolf’s earlier research, there was a brief window between the initial access via SSL VPN accounts and the onset of encryption activity.
Exploitation
An increase in ransomware activity has been observed since July, with a potential SonicWall VPN Zero-Day being used for initial access.
Recommended Actions
Due to the strong possibility of a Zero-Day vulnerability, it is advisable for organizations to temporarily disable the SonicWall SSL VPN service until an official patch is released and fully implemented.
Implement multi-factor authentication (MFA) for remote access, remove any inactive or unused local firewall user accounts, and maintain strong password hygiene practices.