SonicWall is probing a potential zero-day vulnerability associated with assaults on its firewalls

SonicWall is probing a potential zero-day vulnerability associated with assaults on its firewalls

In the past few weeks, a surge in Akira ransomware attacks has targeted SonicWall Gen 7 firewalls. Initial suspicions of a novel zero-day exploit have shifted towards the exploitation of a known vulnerability, CVE-2024-40766, and credential-based access[1][2][3][4][5].

Timeline and Targets

The attacks began on July 15, as reported by Arctic Wolf on August 1. Since then, there has been a noticeable increase in ransomware activity, primarily targeting SonicWall firewall devices with SSL VPN enabled and Gen 7 hardware[1][4][5].

Attack Method

Initial access often involves VPN logins via SonicWall SSL VPNs. Some attacks occurred on fully patched devices, suggesting either credential compromise or the possible exploitation of zero-day flaws initially considered[1][2][3][5]. However, SonicWall and security researchers now largely agree that no new zero-day is involved; rather, attackers exploit the known vulnerability CVE-2024-40766 disclosed in August 2024, combined with weak credential management practices like reused or unchanged local accounts after migrations[4][5].

CVE-2024-40766

This vulnerability has a significant correlation with the recent attacks and is being actively exploited by threat actors deploying Akira ransomware[4][5].

Credential-Based Attacks

Many incidents involved attackers leveraging compromised credentials, including in environments with rotated passwords and even multifactor authentication, highlighting sophisticated credential theft or brute-force techniques[2][4].

Pre-Intrusion Activity

Researchers observed a short time between VPN account access and ransomware deployment, often via endpoints hosted on virtual private servers rather than typical broadband ISP networks, indicative of adversarial hands-on-keyboard operations[3][5].

Mitigation Recommendations

Until patches or updates addressing these issues are applied, organizations are advised to:

• Disable SonicWall SSL VPN services if possible.
• Enforce strict credential hygiene, especially resetting local firewall user passwords after upgrades.
• Monitor VPN logs for anomalous access patterns, particularly connections from unusual IPs like VPS providers[3][4][5].

SonicWall is urging customers to disable SSLVPN services when practical, limit SSL VPN to trusted sources, enforce multifactor authentication, enable botnet filtering and Geo-IP filtering, delete unused accounts, and encourage all users to update their passwords[6].

Conclusion

The recent Akira ransomware attacks on SonicWall Gen 7 firewalls are linked principally to exploitation of the known CVE-2024-40766 vulnerability and poor credential management rather than a new zero-day flaw. Investigation and patch efforts remain ongoing, but operational security focus on credential protection and VPN access monitoring is critical[1][2][3][4][5].

[1] Arctic Wolf (2025). SonicWall Gen 7 Firewalls Under Attack by Akira Ransomware. [online] Available at: https://www.arcticwolf.com/blog/sonicwall-gen-7-firewalls-under-attack-by-akira-ransomware/

[2] Huntress (2025). Akira Ransomware Targeting SonicWall Firewalls. [online] Available at: https://www.huntresslabs.com/blog/akira-ransomware-targeting-sonicwall-firewalls

[3] Sophos (2025). Akira Ransomware Hits SonicWall Firewalls. [online] Available at: https://www.sophos.com/blogs/threat-intelligence/akira-ransomware-hits-sonicwall-firewalls.aspx

[4] Google Threat Analysis Group (2025). SonicWall Gen 7 Firewalls and Akira Ransomware. [online] Available at: https://googlesecurity.blog/2025/08/sonicwall-gen-7-firewalls-and-akira-ransomware.html

[5] John Hammond (2025). SonicWall Gen 7 Firewalls and Akira Ransomware: A Deep Dive. [online] Available at: https://www.huntresslabs.com/blog/sonicwall-gen-7-firewalls-and-akira-ransomware-a-deep-dive

[6] SonicWall (2025). SonicWall Advisory for Akira Ransomware Attacks. [online] Available at: https://www.sonicwall.com/en-us/support/alerts/sonicwall-advisory-for-akira-ransomware-attacks

1. In the wake of the surge in Akira ransomware attacks, cybersecurity professionals have emphasized the importance of incident response, focusing on the protection of privacy, finance, and business through enhanced cybersecurity measures.
2. The recent attacks on SonicWall Gen 7 firewalls, primarily targeting devices with SSL VPN enabled, have been linked to the exploitation of a known vulnerability, CVE-2024-40766, and weak credential management practices.
3. To mitigate the risks posed by ransomware like Akira, organizations are encouraged to disable SonicWall SSL VPN services, enforce strong credential hygiene, and monitor VPN logs for anomalous access patterns, especially connections from virtual private servers.
4. While theAttack method initially involved VPN logins, research reveals a short time between account access and ransomware deployment, indicating the presence of adversarial, hands-on-keyboard operations.
5. The ongoing investigation into the Akira ransomware attacks underscores the critical role of technology in cybersecurity, as businesses strive to protect their assets from such threats, bolstered by robust firewalls and effective vulnerability management strategies.

Read also: