Akira ransomware campaign against SonicWall: 2 new attack vectors seen

As of September 11, 2025, researchers and national agencies continue to report active exploitation of SonicWall firewall appliances by the Akira ransomware group.

While the campaign remains centered on CVE-2024-40766, a critical access control vulnerability in SonicWall’s Secure Socket Layer Virtual Private Network (SSLVPN) component, two additional attack vectors have now been identified.

These involve misconfigurations in the SSLVPN Default Users Group and the Virtual Office Portal, which threat actors are using to reconfigure multi-factor authentication (MFA), specifically time-based one-time passwords (TOTP), on previously compromised accounts.

These misconfigurations are not linked to a new vulnerability, but are the result of insecure default group permissions and exposed Virtual Office interfaces. Attackers are leveraging credentials obtained during earlier compromises, often from environments that failed to rotate passwords or restrict access, to manipulate MFA settings and regain access.

This technique has been observed in multiple incidents since July 2025, with increased activity through August and early September.

CVE-2024-40766, rated 9.8 on the Common Vulnerability Scoring System (CVSS), was patched in August 2024. Exploitation began shortly after SonicWall’s initial advisory.

However, key mitigation guidance, namely advising Gen5 and Gen6 users to reset passwords and enable the “User must change password” option, was added months later and went largely unnoticed.

As highlighted in our August 2025 analysis, the ongoing Akira ransomware campaign continues to exploit legacy credentials and configurations, often carried over from older SonicWall hardware.

The persistent use of privileged service accounts and lack of credential resets following patch deployment remain key factors enabling continued access and compromise.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Analyst insight

Misconfigurations and credential reuse are enabling ransomware operators to bypass security controls and re-enter networks.

To reduce risk, organizations should immediately audit SSLVPN group permissions, disable the SSLVPN Default Users Group or set it to “None,” and restrict access to the Virtual Office Portal.

All user and service account credentials should be rotated, and MFA reenrollment should be enforced. Monitoring unauthorized MFA changes and login anomalies is essential.

Patching alone is not sufficient: configuration hygiene and credential management are critical to preventing re-entry.