Background
Since early July 2025, S-RM has responded to an increased volume of cases in which SonicWall firewall devices with SSL VPNs enabled were identified as the initial access vector. These cases have all led to deployment of the Akira ransomware strain.
In many cases, the SonicWall appliance was patched to the latest available firmware version with multi-factor authentication enabled. Other security vendors have also reported a similar trend, which led to suggestions that the Akira ransomware group was actively exploiting a zero-day software vulnerability in SonicWall SSLVPN services.
On 6 August 2025, SonicWall published a blog post indicating that they had high confidence that the increased activity was not connected to a zero-day vulnerability but was correlated to incomplete remediation of CVE-2024-40766, a previously identified vulnerability.
What to do now
We urgently advise all clients with SonicWall firewalls with SSL VPN enabled to apply the following remediation steps:
- Ensure firmware is updated to the latest available version
- Reset all local user account passwords for accounts with SSL VPN access, particularly if this step was not completed during previous patching or upgrade cycles
- Enforce MFA for all accounts and implement strong password policies
- Remove unused user accounts
- Reset firewall and VPN service accounts
- Conduct threat hunting to check for evidence of suspicious activity, such as local account creation and unauthorized lateral movement
Affected appliances
The activity has not been associated with a specific version of SonicWall appliances. SonicWall has correlated the campaign to devices which were previously vulnerable to CVE-2024-40766, which impacted the following versions:
- SonicOS 5.9.2.14-12o and older versions
- SonicOS 6.5.4.14-109n and older versions
- SonicOS build version 7.0.1-5035 and older versions
Post exploitation tactics identified
S-RM's Incident Response team has observed the following tactics, techniques and procedures (TTPs) immediately following the initial access via SonicWall SSLVPN.
- Enabling of ‘xp_cmdshell’ on SQL servers to allow for execution of privileged commands
- Creation of local accounts on compromised servers named ‘sql’ and ‘backupsql’
- Network discovery using ‘netscan.exe’
- Establishment of Cloudflare tunnels via OpenSSH
- Data exfiltration via WinSCP
- Deletion of Volume Shadow Copies
- Deployment of Akira ransomware, leading to modification of files with the extension ‘.arika’ or ‘.akira’
If malicious activity is identified
- Shut off SSLVPN access immediately
- Trigger your incident response plan
- Engage expert cyber incident response firm
- Preserve evidence
- Implement a containment plan to limit the threat actor’s access inside the network
- Implement a threat hunting and eradication plan to remove the threat actor from the network
- Conduct forensics across impacted devices to identify potential data exfiltration
Please contact S-RM if you are concerned about your organisation’s exposure to this vulnerability.
-1-1.jpeg?width=121&height=121&name=MicrosoftTeams-image%20(11)-1-1.jpeg)
