SonicWall is currently probing into several reported cyber incidents, one of which involves ransomware exploiting potentially unpatched vulnerabilities (0-day).
In a recent string of cyber attacks, SonicWall SSL VPNs have been actively exploited in ransomware attacks involving the Akira ransomware group. Since mid-July 2025, these attacks have been linked to a potential zero-day vulnerability or an existing critical flaw in SonicOS devices, specifically CVE-2024-40766.
The attacks began with anomalous VPN logins through SonicWall SSL VPNs, leading swiftly to the deployment of the Akira ransomware. Attackers bypassed multi-factor authentication, credential rotations, and even affected fully patched devices. Suspicious VPN connections frequently originated from Virtual Private Server (VPS) hosting providers, a common ransomware technique.
The vulnerability impacts SonicWall Gen 7 firewall devices running SonicOS, with firmware prior to version 7.3.0. Firmware version 7.3.0 contains fixes that enhance protections against brute-force attacks and improve MFA controls.
To mitigate the risk, SonicWall and security researchers recommend immediate steps. Disable SSL VPN services where possible until patches are applied. Update firmware to SonicOS version 7.3.0 or later to address the known vulnerability and add additional protections. Limit SSL VPN access to trusted IP addresses and block suspicious logins, especially those from VPS providers. Enable Botnet Protection, Geo-IP Filtering, and enforce multi-factor authentication on VPN accounts. Remove inactive or unused local user accounts, especially those with VPN access, and encourage regular password updates for all accounts. Monitor VPN login activity closely for anomalies indicative of brute force or credential stuffing attacks.
SonicWall and security researchers are continuing investigations into whether an undisclosed zero-day is involved. However, organizations should assume high risk and urgently apply all recommended mitigations. It's crucial to note that MFA enforcement alone may not protect against the ransomware activity under investigation.
This is not the first time Akira ransomware affiliates have abused a critical SonicWall bug. Last year, they exploited a similar vulnerability, underscoring the need for immediate action. SonicWall advises customers using Gen 7 firewalls to disable SSL VPN services, limit SSL VPN connectivity to trusted source IPs, enable Security Services, remove unused firewall user accounts, promote strong password hygiene, and enforce multi-factor authentication for all remote access.
Investigations are ongoing, and if a new bug is confirmed, SonicWall will release updated firmware and guidance as quickly as possible. In the meantime, it's essential for organizations to prioritise security measures to protect their systems from these attacks.
- In the ongoing investigation, it's crucial for organizations to prioritize technology like Artificial Intelligence (AI) in their cybersecurity measures, as AI can help detect anomalous mobile connections similar to the VPN logins observed in the Akira ransomware attacks.
- While firms should immediately apply patches to address the known vulnerability, CVE-2024-40766, in SonicWall Gen 7 firewall devices, they might also consider data-and-cloud-computing solutions that offer robust security features to further enhance their mobile and cloud computing infrastructures.
- As SonicWall and security researchers continue to investigate potential zero-day vulnerabilities, organizations must recognize the significance of technology for strengthening security and implement measures beyond multifactor authentication, such as geo-blocking suspicious logins from VPS providers and proactively monitoring for brute-force and credential stuffing attacks.
.){kind=link}