Zero-Day Exploitation in SonicWall Targeted by Akira Ransomware
Summary
A critical zero-day vulnerability is suspected in SonicWall SSL VPN appliances, which are currently being actively exploited by threat actors linked to the Akira ransomware group. These attacks began last month and exploit even fully patched devices and systems with multi-factor authentication (MFA) enabled. In many cases, attackers move quickly, encrypting victim systems within hours of gaining access.
Detailed Observation
The ongoing attacks targeting SonicWall SSL VPN appliances suggest the presence of a zero-day vulnerability that allows threat actors to gain unauthorized access to enterprise networks.
This exploitation may be limited to TZ and NSa-series SonicWall firewalls with SSLVPN enabled. The attack patterns indicate that the attackers may be exploiting a flaw in the VPN’s authentication or session management mechanisms which they can be able to bypass the MFA.
Security researchers also observed that the threat actors often used legitimate credentials, including recently rotated passwords, implying either credential theft or session hijacking.
These login attempts were traced back to Virtual Private Servers (VPS), a common tactic to obscure the attacker’s origin. Once threat actors on the network, they abuse the privileged accounts, then start establishing C2 and move laterally in the network, then at the last stage before deploying the ransomware they are disabling the defenses to smooth deploy.
The ransomware group suggests Akira, has been seen deploying malware and encrypting data within hours, showcasing a high level of automation and operational efficiency.
The pattern and speed of these attacks point to a well-orchestrated campaign that likely began months earlier (as early as October 2024) but surged in mid-July 2025. This level of sophistication, combined with the failure of traditional defenses, strongly supports the theory that attackers are leveraging an undisclosed vulnerability in SonicWall’s SSL VPN stack.
Remediation:
Until an official SonicWall patch is released, organizations should take the following immediate actions:
- Disable SonicWall SSL VPN if possible, especially for external access.
- Enforce network segmentation to limit the radius of any potential breach.
- Monitor access logs for suspicious login attempts (especially from VPS-hosting IP ranges).
- Block known malicious IPs and ASNs used in previous attacks.
- Rotate all VPN credentials, especially for admin or privileged users.
- Harden MFA configuration (though current evidence shows bypasses are possible).
- Enable IP reputation and botnet protection features in SonicWall firewalls.
- Audit all VPN user accounts, removing any inactive or unnecessary ones.
IOCs
| Attacker IP | Threat Actors used tools | ASN/CIDR hosting adversary infrastructure | User & Password created |
| 42.252.99[.]59 | w.exe | AS24863 – LINK-NET – 45.242.96.0/22 | backupSQL (U) |
| 45.86.208[.]240 | win.exe | AS62240 – Clouvider – 45.86.208.0/22 | lockadmin (U) |
| 77.247.126[.]239 | C:\ProgramData\winrar.exe | AS62240 – Clouvider – 77.247.126.0/24 | Password123$ (P) |
| 104.238.205[.]105 | C:\ProgramData\OpenSSHa.msi | AS23470 – ReliableSite LLC – 104.238.204.0/22 | Msnc?42da (P) |
| 104.238.220[.]216 | C:\Program Files\OpenSSH\sshd.exe | AS23470 – ReliableSite LLC – 104.238.220.0/22 | VRT83g$%ce (P) |
| 181.215.182[.]64 | C:\programdata\ssh\cloudflared.exe | AS174 – COGENT-174 – 181.215.182.0/24 | |
| 193.163.194[.]7 | C:\Program Files\FileZilla FTP Client\fzsftp.exe | AS62240 – Clouvider – 193.163.194.0/24 | |
| 193.239.236[.]149 | C:\ProgramData\1.bat | AS62240 – Clouvider – 193.239.236.0/23 | |
| 194.33.45[.]155 | C:\ProgramData\2.bat | AS62240 – Clouvider – 194.33.45.0/24 |
- Source: huntress.com
Conclusion:
The exploitation of a suspected zero-day in SonicWall SSL VPN poses an immediate and critical threat to enterprise environments.
The ability of attackers to bypass authentication and deploy ransomware within hours is highly dangerous and points to a sophisticated, active campaign.
Organizations using SonicWall VPNs must take preemptive steps now, including disabling VPN access if feasible and aggressively monitoring for anomalies, until SonicWall releases a formal patch or mitigation advisory
References:
Recent Comments