In late July 2025, cybersecurity researchers identified a significant uptick in ransomware attacks targeting SonicWall firewall devices. The Akira ransomware group is exploiting a suspected zero-day vulnerability within SonicWall’s SSL VPN feature, enabling unauthorized access to corporate networks and subsequent ransomware deployment.
Discovery of the Vulnerability
The Akira ransomware group has been observed leveraging this zero-day flaw to gain initial access to networks. Notably, these intrusions have succeeded even on fully patched SonicWall firewalls, suggesting the exploitation of an unknown vulnerability. In some instances, attackers have bypassed multi-factor authentication (MFA), indicating a sophisticated attack vector that circumvents standard security measures.
Attack Methodology
The recent surge in activity, beginning around July 15, 2025, has been attributed to the Akira ransomware gang. This group has been observed using compromised credentials to log into SonicWall SSL VPNs, often from IP addresses associated with Virtual Private Server (VPS) hosting providers rather than typical residential or business internet services. The time between the initial VPN breach and the deployment of ransomware is notably short, giving victims little time to react. While malicious VPN logins have been observed since at least October 2024, the latest campaign shows a marked escalation.
Recommendations for Mitigation
Given the high likelihood of an unpatched vulnerability, Arctic Wolf has issued a primary recommendation for organizations to disable the SonicWall SSL VPN service immediately until an official patch is developed and deployed. This drastic step is advised to prevent initial access and subsequent network compromise.
In addition to this critical measure, security experts have reiterated general best practices for hardening firewall security. SonicWall recommends enabling security services like Botnet Protection, enforcing MFA on all remote access accounts, and practicing good password hygiene with periodic updates. Furthermore, administrators are advised to remove any inactive or unused local user accounts, particularly those with VPN access, to reduce the attack surface.
Organizations are also encouraged to block VPN authentication attempts originating from a list of specific hosting-related Autonomous System Numbers (ASNs) that have been associated with this malicious campaign. While these networks are not inherently malicious, their use for VPN authentication is highly suspicious in this context.
Ongoing Investigation
Arctic Wolf Labs is continuing its investigation into the campaign and will share further details as they become available. In the meantime, organizations using SonicWall firewalls are urged to review their security posture and take immediate action to mitigate this active threat.
