Increase in ransomware attacks potentially tied to undiscovered vulnerability in SonicWall equipment
In a concerning turn of events, a wave of ransomware attacks has been targeting SonicWall firewall devices since mid-July 2025. The attacks, involving the Akira ransomware variant, have been reported by security researchers from Arctic Wolf, Huntress, Google, and Mandiant.
The attacks appear to be exploiting a zero-day vulnerability in the SonicWall SSL VPN protocol, allowing unauthorized access and bypassing multi-factor authentication (MFA). This revelation is significant, as it suggests that even fully patched SonicWall devices, some with MFA enabled, have been compromised.
The zero-day vulnerability affects firmware versions 7.2.0-7015 and earlier on SonicWall firewalls. Once initial access is gained via the SSL VPN zero-day, attackers quickly move laterally, often pivoting directly to domain controllers within hours to deploy Akira ransomware, minimizing dwell time between breach and encryption.
The Akira ransomware group, active since early 2023 and known to extort tens of millions from over 250 victims, has a history of targeting internet-exposed edge and security devices from vendors like SonicWall and Cisco.
Security firms recommend organizations immediately disable SonicWall SSL VPN services or severely restrict access via IP allow-listing until a patch or official guidance is available. SonicWall is investigating the attacks and has not yet confirmed if the exploited flaw is a previously disclosed vulnerability or a new zero-day. They intend to release a patch promptly if a new vulnerability is confirmed.
The attacks began on July 15 and involved VPN access through SonicWall SSL VPNs. Arctic Wolf has observed cases where hackers compromised fully patched SonicWall devices, despite the owners rotating their credentials. The researchers have found that hackers deployed the Akira ransomware variant in hands-on-keyboard attacks after compromising SonicWall SSL VPNs.
While the extent and impact of the attacks are not specified, they are believed to be affecting SonicOS devices. The investigation into these attacks is still preliminary, according to Stefan Hostetler, lead threat intelligence researcher at Arctic Wolf. No further details about the zero-day vulnerability have been offered yet.
It's important to note that these attacks morphed into intrusions the following week, according to Arctic Wolf researchers. However, a spokesperson for SonicWall was not immediately available for comment regarding the 2024 attacks, which may not have been solely due to brute-force attacks or credential stuffing, according to Arctic Wolf.
- The wave of ransomware attacks, involving the Akira ransomware variant, targeting SonicWall firewall devices since mid-July 2025, underscores the importance of robust cybersecurity in data-and-cloud-computing technology.
- The attacks are exploiting a zero-day vulnerability in the SonicWall SSL VPN protocol, highlighting the constant threat of vulnerabilities in technology, even in systems with threat intelligence and multi-factor authentication in place.
- The Akira ransomware group, known for crime-and-justice activities like extorting millions from victims, has a history of targeting cybersecurity systems, specifically edge and security devices from vendors like SonicWall and Cisco.
- General-news outlets have reported on the ongoing investigation into these ransomware attacks, aimed at understanding the extent and impact on SonicOS devices and determining if the exploited flaw is a previously disclosed vulnerability or a new zero-day.
- As the investigation progresses, technology experts recommend organizations prioritize cybersecurity measures, such as disabling SonicWall SSL VPN services or restricting access, until a patch or official guidance is available from SonicWall.
