Blog Trainings Request a Demo Login
Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | Akira Exploits SonicWall SSLVPN in Suspected Zero-Day Attacks
Table Of Content
Related Articles
SOCRadar® Cyber Intelligence Inc. | Klue Breach: What You Need to Know
Klue Breach: What You Need to Know
Jun 24, 2026
SOCRadar® Cyber Intelligence Inc. | WhatsApp VBScript Campaign Installs ManageEngine Endpoint Central for Persistent Remote Access
WhatsApp VBScript Campaign Installs ManageEngine Endpoint Central for Persistent Remote Access
Jun 23, 2026
SOCRadar® Cyber Intelligence Inc. | CVE-2026-20253: CISA Warns of Actively Exploited Splunk Enterprise RCE
CVE-2026-20253: CISA Warns of Actively Exploited Splunk Enterprise RCE
Jun 19, 2026
SOCRadar® Cyber Intelligence Inc. | CVE-2026-42530 & CVE-2026-42055: F5 Patches NGINX Vulnerabilities
CVE-2026-42530 & CVE-2026-42055: F5 Patches NGINX Vulnerabilities
Jun 19, 2026
SOCRadar® Cyber Intelligence Inc. | SOCRadar Launches Free FortiBleed Exposure Checker and Publishes the Most Extensive Dataset on the Fortinet Credential Leak
SOCRadar Launches Free FortiBleed Exposure Checker and Publishes the Most Extensive Dataset on the Fortinet Credential Leak
Jun 17, 2026
Free Dark Web Report
Is your Domain/Email Exposed?
Aug 06, 2025
7 Mins Read
Jun 09, 2026
Moon

Akira Exploits SonicWall SSLVPN in Suspected Zero-Day Attacks

[Update] Surge in Exploitation of CVE-2024-40766 by Akira 

[Update] SonicWall Links Attacks to CVE-2024-40766, Not a Zero-Day

A string of high-severity cyberattacks is currently targeting SonicWall’s Gen 7 firewall appliances, with attackers reportedly exploiting what appears to be a zero-day vulnerability in SSLVPN functionality. Multiple security firms have observed threat actors bypassing Multi-Factor Authentication (MFA), rapidly escalating privileges, and deploying ransomware within hours of initial access.

SonicWall has issued an urgent advisory recommending all organizations disable SSLVPN immediately, or at the very least, restrict it to trusted IPs while investigations continue. In this blog, we will outline the key details of the threat activity, attacker behavior, and immediate mitigation steps.

What Happened?

A wave of ransomware incidents linked to SonicWall firewalls began surfacing in mid-July. Arctic Wolf first observed signs of this activity on July 15, identifying Akira Ransomware infections likely tied to a vulnerability in SonicWall’s Gen 7 SSLVPN service.

Threat actor card for Akira Ransomware

Threat actor card for Akira Ransomware

Which Devices Are Affected?

These intrusions specifically impacted SonicWall TZ and NSa-series devices running firmware version 7.2.0-7015 or earlier.

How Did Attackers Gain Initial Access?

While the exact method of entry hasn’t been pinned down, possibilities include a newly discovered vulnerability, or attackers leveraging brute force or credential-based attacks to break in.

Researchers have since corroborated these findings, observing roughly 20 incidents with consistent patterns. In each case, attackers moved swiftly, bypassing MFA protections and reaching domain controllers.

Timeline of attacks – compromised accounts (Huntress)

Timeline of attacks – compromised accounts (Huntress)

How Are Attackers Targeting SonicWall Devices?

Researchers have mapped out recurring methods based on incident data, which involve:

  1. Initial Access: Begins with compromise of the SonicWall device.
  2. Privilege Escalation: Attackers leverage over-permissioned service accounts (e.g., LDAPAdmin, sonicwall) to gain administrator-level access.
  3. Persistence: Tools like Cloudflared tunnels and OpenSSH are deployed for durable command and control.
  4. Lateral Movement: Using PowerShell Remoting, WMI, and built-in Windows tools, actors spread across the network.
  5. Credential Theft: Scripts dump Veeam backups, extract browser-stored credentials, and even exfiltrate Active Directory data using wbadmin.exe.
  6. Defense Evasion: Threat actors disable Microsoft Defender and firewall rules before deploying ransomware.
  7. Payload Deployment: Volume Shadow Copies are deleted via vssadmin.exe, followed by the delivery of Akira ransomware.

Visualization of the SonicWall SSLVPN Attack Chain

Visualization of the SonicWall SSLVPN Attack Chain

The attack operations are fast and methodical, combining automated tools with hands-on activity. SonicWall and external vendors emphasize that this remains an active, evolving campaign with serious consequences for unprotected systems.

How Can You Mitigate SonicWall SSLVPN Attacks?

SonicWall published an official advisory urging immediate steps to reduce risk:

  • Disable SSLVPN entirely if possible.
  • Restrict access to the VPN via source IP allow-listing.
  • Enable security services, such as Botnet Protection and Geo-IP Filtering, to detect known threats.
  • Enforce MFA, though current campaigns have bypassed it.
  • Audit user accounts, especially any unused accounts with SSLVPN access.
  • Enforce password hygiene and monitor for brute-force indicators.

Further technical details, including attacker behavior, are available here. You can also find the Indicators of Compromise (IOCs) at the end of this blog post.

Is There a SonicWall SSLVPN Exploit Available on the Dark Web?

On January 5, SOCRadar spotted an exploit for a pre-authenticated root Remote Code Execution (RCE) vulnerability affecting SonicWall SSLVPN being sold on a hacker forum. While it’s unclear if this exploit is connected to recent attacks, it shows how fast threat actors trade advanced tools on the Dark Web.

SonicWall SSLVPN preauth root RCE detected on hacker forum (SOCRadar Dark Web News)

SonicWall SSLVPN preauth root RCE detected on hacker forum (SOCRadar Dark Web News)

SOCRadar’s monitoring covers all bases:

Use SOCRadar to get early warnings and key context, so your team can prioritize defenses and act before attackers strike.

SOCRadar’s ASM module – Digital Footprint Monitoring

SOCRadar’s ASM module – Digital Footprint Monitoring

SonicWall Links Attacks to CVE-2024-40766, Not a Zero-Day

SonicWall’s latest investigation into the recent Akira ransomware campaign has shifted the focus from a suspected zero-day to CVE-2024-40766 (CVSS 9.8) – a critical SSLVPN access control flaw patched in August 2024. This vulnerability, present in SonicOS, allows unauthorized access to SSLVPN endpoints, enabling attackers to hijack sessions or gain VPN access. It was heavily exploited following its disclosure, with both Akira and Fog ransomware operators using it to infiltrate corporate networks.

Quick details on CVE-2024-40766 (SOCRadar Labs CVE Radar)

Quick details on CVE-2024-40766 (SOCRadar Labs CVE Radar)

The company says evidence from 40 reviewed incidents points to exploitation of this older flaw, particularly in cases where organizations migrated from Gen 6 to Gen 7 firewalls without resetting local user passwords. SonicWall had flagged this password reset step in its original advisory, stressing its importance for mitigation. The updated recommendation is to run firmware version 7.3.0 or later (which improves brute-force and MFA protections) and reset all local user passwords, especially those tied to SSLVPN.

While SonicWall’s findings counter earlier reports from Arctic Wolf Labs that suggested a zero-day was in play, the update hasn’t convinced everyone. Some customers have voiced doubts online, reporting breaches on accounts created post-migration and claiming the vendor declined to review their logs. Such accounts, alongside the cautious language in SonicWall’s statement, mean questions remain over the full scope of the threat.

Surge in Exploitation of CVE-2024-40766 by Akira

New alerts confirm that Akira ransomware operators have ramped up their use of CVE-2024-40766 in fresh campaigns. According to the Australian Cyber Security Centre (ACSC), exploitation activity has recently surged in Australia, targeting vulnerable organizations.

While the flaw was patched in August 2024, incomplete remediation continues to expose organizations. In particular, failure to reset locally managed SSLVPN account passwords has allowed attackers to configure MFA or TOTP for valid accounts, bypassing protections. Rapid7 also noted misuse of SonicWall defaults, such as broad “Default Users Group” access and exposed Virtual Office Portal settings, to facilitate intrusions.

This aligns with SonicWall’s own assessment that the ongoing activity is not tied to a zero-day but to unpatched or misconfigured systems vulnerable to CVE-2024-40766. The ACSC urges immediate patching and credential rotation, underscoring that exploitation remains active.

Indicators of Compromise (IOCs)

Below are the IOCs related to this threat activity, as shared by Huntress.

Attacker IP Addresses

  • 42.252.99[.]59
  • 45.86.208[.]240
  • 77.247.126[.]239
  • 104.238.205[.]105
  • 104.238.220[.]216
  • 181.215.182[.]64
  • 193.163.194[.]7
  • 193.239.236[.]149
  • 194.33.45[.]155

Malware & Tooling

  • w.exe – Ransomware executable
    SHA256: d080f553c9b1276317441894ec6861573fa64fb1fae46165a55302e782b1614d
  • win.exe – Ransomware executable
  • C:ProgramDatawinrar.exe – Data staging tooling
  • C:ProgramDataOpenSSHa.msi – OpenSSH installer
  • C:Program FilesOpenSSHsshd.exe – SSH executable for exfiltration
  • C:programdatasshcloudflared.exe – Cloudflare tunneling tool
  • C:Program FilesFileZilla FTP Clientfzsftp.exe – Data exfiltration tooling
  • C:ProgramData1.bat – Unknown attacker script
  • C:ProgramData2.bat – Unknown attacker script

ASN / CIDR Blocks Hosting Attacker Infrastructure

  • AS24863 – LINK-NET – 45.242.96.0/22
  • AS62240 – Clouvider – 45.86.208.0/22
  • AS62240 – Clouvider – 77.247.126.0/24
  • AS23470 – ReliableSite LLC – 104.238.204.0/22
  • AS23470 – ReliableSite LLC – 104.238.220.0/22
  • AS174 – COGENT-174 – 181.215.182.0/24
  • AS62240 – Clouvider – 193.163.194.0/24
  • AS62240 – Clouvider – 193.239.236.0/23
  • AS62240 – Clouvider – 194.33.45.0/24

Malicious User Accounts and Credentials

  • backupSQL
  • lockadmin
  • Password123$
  • Msnc?42da
  • VRT83g$%ce