Akira ransomware actors are exploiting SonicWall SSL VPN appliances by combining CVE-2024-40766 (a patched vulnerability) with legacy credentials from accounts migrated from older Gen 6 to Gen 7 devices, allowing them to bypass MFA and rapidly deploy ransomware. Organizations must immediately update to the latest SonicOS firmware, reset all migrated user accounts, and implement additional controls, such as geo-IP filtering and monitoring for VPN logins from the hosting provider's infrastructure.

Overview

In July 2025, Arctic Wolf Labs reported a marked increase in Akira ransomware intrusions leveraging SonicWall SSL VPN appliances, with related activity observed as far back as October 2024. Subsequent investigation by multiple security firms determined that these incidents did not stem from a zero-day exploit but from the abuse of CVE-2024-40766, a previously patched vulnerability, combined with credential-based access issues—most notably the reuse of local accounts migrated from older SonicWall Gen 6 devices to Gen 7 systems. In many cases, attackers were able to log in despite multi-factor authentication due to these legacy credentials remaining active. VPN sessions tied to the intrusions consistently originated from virtual private server infrastructure, diverging from the patterns of legitimate remote access. Given SonicWall SSL VPN’s widespread deployment, these findings underscore the high risk posed by unaddressed credential hygiene issues and unpatched systems. SonicWall has urged customers to update to the latest SonicOS firmware, reset any migrated or legacy user accounts, enforce MFA across all access points, and implement additional controls, including geo-IP filtering and botnet protection to reduce exposure.

Key Points:

• Arctic Wolf’s telemetry indicates multiple intrusions occurred despite recent credential resets and TOTP-based MFA, reinforcing concerns around either token session replay or session hijacking techniques.
• The threat actor infrastructure used in these attacks overlaps with previously observed Akira campaigns and includes leased VPS ranges known to support credential brute forcing and anonymized VPN traffic.
• VPN authentication is used not only for access but also as a staging point for immediate reconnaissance and lateral movement, often bypassing initial malware deployment altogether.
• Immediate Actions: Apply SonicWall firmware updates (Gen 7: SonicOS 7.3.0 or later; Gen 6: 6.5.4.14 or later), disable SSL VPN services where feasible, and monitor for Akira-specific post-authentication behaviors, including the use of AdFind or Rclone following VPN login.

1.0 Threat Overview

1.1 Initial Discovery and Detection

The earliest signs of this campaign were traced back to October 2024, when Arctic Wolf and other vendors began detecting anomalous VPN login patterns involving SonicWall SSL VPN appliances. These logins, often sourced from VPS-hosted infrastructure, stood out for their frequency, geographic inconsistency, and lack of associated brute force attempts. Follow-up investigations in mid-2025 confirmed that the activity was linked to the exploitation of CVE-2024-40766, a previously patched vulnerability in SonicWall Gen 7 SSL VPN appliances, combined with credential-based access using migrated local accounts from older Gen 6 devices. In many affected environments, these legacy accounts had not been reset during migration, allowing attackers to bypass multi-factor authentication and gain direct access. VPN sessions tied to these intrusions consistently originated from hosting-provider infrastructure, diverging from normal remote access patterns. By mid-July 2025, a sharp uptick in pre-encryption intrusions was observed across multiple sectors, highlighting both the scale of the campaign and its focus on exploiting overlooked account hygiene in addition to unpatched devices.

1.2 Vulnerabilities & Affected Systems

2.0 Infection Chain and Payload Execution

The Akira intrusion chain observed in these incidents follows a consistent and highly efficient pattern, often progressing from initial access to ransomware deployment in less than 24 hours:

3.0 Associated Threat Actors

The Akira ransomware group, a Russian-speaking cybercrime operation that emerged in April 2023, has established itself as a sophisticated RaaS threat actor targeting six major sectors: manufacturing, legal, finance, education, government, and healthcare. Operating with an arsenal that includes their signature Akira ransomware alongside Cobalt Strike, Rclone, and MegaCmd, the group employs advanced tactics such as exploiting VPN infrastructure vulnerabilities, leveraging stolen credentials, implementing double extortion methodologies, and utilizing living-off-the-land techniques while notably avoiding initial malware deployment. In their most recent campaign from July-August 2025, Akira demonstrated their evolving capabilities by exploiting SonicWall Gen 7 SSL VPN appliances through CVE-2024-40766, combined with active credentials from migrated local accounts that had not been reset during Gen 6 to Gen 7 upgrades, allowing them to bypass MFA and gain immediate access without privilege escalation while maintaining their characteristic use of VPS-based login infrastructure for command and control operations.

4.0 Attack Vectors and Delivery Methods

Akira ransomware operators are exploiting SonicWall Gen 7 SSL VPN appliances through a combination of CVE-2024-40766 and credential-based access using legacy accounts migrated from older hardware. These accounts, often overlooked during upgrade processes, can allow authentication even in MFA-enabled environments. All confirmed intrusions have initiated via unauthorized VPN access, with attackers commonly connecting from hosting-provider IP ranges. No phishing, brute force, or credential stuffing has been definitively observed; instead, access has relied on exploiting unpatched devices or abusing unchanged migrated credentials.

5.0 Risk and Impact

The Akira ransomware campaign targeting SonicWall Gen 7 SSL VPNs poses a high-impact threat that can bypass traditional security controls, including multi-factor authentication, by exploiting CVE-2024-40766 and leveraging valid credentials from migrated accounts. Exploitation leads to rapid domain-level compromise and ransomware deployment, often without signs of lateral movement or early detection. Because VPN appliances are typically treated as trusted, hardened entry points, organizations are afforded minimal time to detect and respond before payload execution occurs. The reliance on a known, patchable vulnerability combined with overlooked credential hygiene emphasizes that both technical and procedural remediation are critical to reducing risk.

6.0 Real World Use Cases

7.0 Recommendations for Mitigation

Apply SonicWall Firmware Updates Immediately

• Upgrade all affected Gen 7 SonicWall firewall appliances to SonicOS 7.3.0 or later
• For environments with Gen 6 appliances linked to a Gen 7 migration, update Gen 6 devices to 6.5.4.14 or later where applicable
• Disable the SSL-VPN service on devices pending updates

Enforce VPN Authentication from Trusted IP Ranges Only

• Implement geolocation and IP allowlists for VPN access
• Block known hosting-provider ASN ranges commonly used by threat actors (e.g., DigitalOcean, OVH, Linode)

Implement SSL Decryption and Deep Packet Inspection (DPI)

• Enable SSL inspection to monitor post-authentication VPN traffic
• Deploy DPI to detect encrypted command-and-control behavior and malicious payload staging

Monitor VPN Logins for Hosting-Based Infrastructure

• Build detection logic for successful VPN logins from hosting-provider IPs
• Establish automated alerting and conditional access policies to isolate suspicious sessions

Centralize SonicWall Telemetry for Behavior-Based Analytics

• Forward all SonicWall logs (authentication, system, and traffic) to SIEM
• Baseline typical remote access patterns and alert on anomalies in login time, frequency, or geographic origin

8.0 Hunter Insights

Looking forward, the threat posed by Akira ransomware targeting SonicWall SSL VPN appliances is likely to intensify due to the combination of technical exploits (such as CVE-2024-40766) and persistent credential hygiene issues. Organizations that have migrated user accounts without comprehensive credential resets—especially from Gen 6 to Gen 7 devices—will remain at elevated risk, as attackers can bypass multi-factor authentication by abusing legacy accounts and exploit known vulnerabilities that may be unpatched or insufficiently monitored. The attackers’ use of VPS-hosted infrastructure and post-authentication reconnaissance tools, including Rclone and AdFind, suggests a continued evolution towards stealthier, more rapid campaigns that minimize detection timeframes and maximize domain-level compromise.

Akira’s tactics may become a blueprint for future ransomware groups seeking similar entry points. In the coming months, attackers are expected to refine token replay or session hijacking techniques to circumvent reset credentials and upgraded authentication measures, potentially escalating attack sophistication as defenders adapt. As SonicWall appliances are widely deployed as trusted gateways, future attacks may increasingly target neglected account hygiene, incomplete migrations, or delayed firmware updates, particularly in mid-sized organizations with less mature cyber hygiene processes. The ongoing push by SonicWall for telemetric analytics and behavioral monitoring underscores the need for organizations to move beyond signature-based defenses, embracing proactive detection of anomalous login patterns and centralized log analysis. Geolocation filtering, ASN blocking, and deep packet inspection will likely become baseline security practices; however, the window for detection is shrinking. Companies must both update their systems and audit legacy accounts to avoid rapid, large-scale ransomware incidents.