Pierluigi Paganini September 11, 2025

Researchers warn that Akira ransomware group is exploiting a year-old SonicWall firewall flaw, likely using three attack vectors for initial access.

The Akira ransomware group is exploiting a year-old SonicWall firewall vulnerability, tracked as CVE-2024-40766 (CVSS score of 9.3), likely using three attack vectors for initial access, according to Rapid7.

“Evidence collected during Rapid7’s investigations suggests that the Akira group is potentially utilizing a combination of all three of these security risks to gain unauthorized access and conduct ransomware operations.” reads the report published by Rapid7.

The vulnerability is an improper access control issue that resides in the SonicWall SonicOS management access. An attacker can exploit the issue to achieve unauthorized access to the devices.

SonicWall addressed the critical flaw in its firewalls in August 2024, and the US CISA added it to its Known Exploited Vulnerabilities (KEV) catalog in September 2024.

In August 2025, SonicWall investigated claims of a zero-day being used in ransomware attacks but found no evidence of any new vulnerability in its products.

SonicWall launched the investigation after a surge in Akira ransomware attacks targeting Gen 7 firewalls with SSLVPN enabled. The company worked to determine if the incidents stem from an existing flaw or a newly discovered vulnerability.

SonicWall later confirmed that there’s no zero-day involved in recent ransomware attacks, but rather the exploitation of a known flaw, CVE-2024-40766. While many systems have since been patched, attackers can still access them if credentials weren’t changed. Fewer than 40 related incidents are under investigation by SonicWall, mostly tied to firewall migrations.

“We now have high confidence that the recent SSLVPN activity is not connected to a zero-day vulnerability. Instead, there is a significant correlation with threat activity related to CVE-2024-40766, which was previously disclosed and documented in our public advisory SNWLID-2024-0015.” reads the advisory published by the security vendor. 

“We are currently investigating less than 40 incidents related to this cyber activity. Many of the incidents relate to migrations from Gen 6 to Gen 7 firewalls, where local user passwords were carried over during the migration and not reset.  Resetting passwords was a critical step outlined in the original advisory.  “

SonicWall issued new guidance on the SSLVPN Default Users Group risk, which may grant unauthorized access in certain LDAP setups. Rapid7 also found threat actors abusing the Virtual Office Portal to configure MFA/TOTP with exposed credentials. Evidence suggests Akira ransomware is exploiting a mix of these flaws for attacks.

“Evidence collected during Rapid7’s investigations suggests that the Akira group is potentially utilizing a combination of all three of these security risks to gain unauthorized access and conduct ransomware operations.” continues the report.

Rapid7 urges SonicWall users to secure accounts, enable MFA, fix SSLVPN Default Groups risk, restrict and monitor the Virtual Office Portal, and apply security patches.

The Akira ransomware has been active since March 2023, the threat actors behind the malware claim to have already hacked multiple organizations in multiple industries, including education, finance, and real estate. Like other ransomware gangs, the group has developed a Linux encryptor to target VMware ESXi servers.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Akira ransomware)