Akira Ransomware Exploits SonicWall VPN Flaw and Misconfigurations to Breach Networks
The Akira ransomware group has ramped up its attacks on SonicWall devices, exploiting a critical SSL VPN vulnerability and misconfigurations to gain unauthorized access. Security researchers have observed a surge in intrusions linked to SonicWall firewalls since late July 2025, particularly involving the flaw designated CVE-2024-40766, which scored 9.3 in severity. This issue stemmed from local user passwords being carried over during a migration process and never reset, leaving systems exposed.
One of the misconfigurations involves default LDAP user groups in SonicWall’s SSL VPN settings. When configured insecurely, these settings automatically place any authenticated LDAP user into local groups—regardless of their intended permissions in Active Directory. If those local groups have access to administrative interfaces, sensitive network zones, or SSL VPN services, a compromised AD account could immediately lead to full perimeter access.
Akira has also been seen targeting the “Virtual Office Portal” feature on SonicWall appliances. In some default configurations, this portal is publicly accessible, enabling attackers possessing valid credentials to set up TOTP/MFA and gain deeper access. This makes prior credential exposures particularly dangerous.
Organizations are being urged to take several steps to reduce risk: rotate or reset local passwords on all SonicWall accounts; disable or remove unused or inactive local admin accounts; enforce multi-factor authentication or time-based one-time password (TOTP) protections; and ensure that SSL VPN portals like Virtual Office are restricted to internal networks only. Reviewing and tightening LDAP group settings is especially important to prevent inadvertent privilege escalation.
The Akira group remains a persistent threat, having conducted hundreds of ransomware incidents since its emergence, with the recent targeting of SonicWall being among its more advanced attack flows. Their typical pattern involves gaining initial access through SSL VPN vulnerabilities, moving laterally, escalating privileges, exfiltrating data, and eventually deploying ransomware across compromised systems.
