Akira Ransomware Exploits Trio of SonicWall Vulnerabilities

Key Takeaways:

  • Akira ransomware affiliates are actively exploiting three separate SonicWall flaws and misconfigurations, including CVE-2024-40766.
  • More than 438,000 SonicWall devices remain publicly exposed, amplifying the potential attack surface.
  • Rapid7 observed “double-digit” numbers of affected customers, underscoring widespread industry impact.
  • Attacks have been fast-moving, with full encryption achieved in under ten hours in some cases.
  • Security experts urge patching, enforcing multi-factor authentication, and restricting SSLVPN access to mitigate risks.

The Akira ransomware group is once again in the spotlight, this time for abusing a trio of SonicWall vulnerabilities and misconfigurations that security researchers say are leading to widespread compromise. According to a report in The Register, the attacks have revived concerns about the persistence of old flaws and the tendency of attackers to weaponize weak configurations.

At the center of the campaign is CVE-2024-40766, a critical improper access control flaw with a CVSS score of 9.8, first disclosed in August 2024. That vulnerability was quickly folded into ransomware operations by Akira and Fog affiliates last year. Researchers documented how, between September and December 2024, at least 100 organizations were compromised using CVE-2024-40766. Victims often saw systems fully encrypted within ten hours of the initial intrusion.

Rapid7 confirmed that the latest wave has impacted “customers in the double digits,” highlighting the scope of exposure. Meanwhile, Arctic Wolf observed an uptick in Akira ransomware activity beginning in July 2025, initially thought to involve a fresh zero-day. However, it later became clear that the attackers were relying heavily on already-known flaws like CVE-2024-40766, combined with weaknesses in credentials and misconfigured user access in SonicWall environments.

In its advisory, Arctic Wolf urged organizations to reassess SSLVPN configurations, stating that “remote access should be restricted to trusted networks wherever possible” and that inactive accounts should be removed. The company also emphasized resetting local user credentials following upgrades or migrations and ensuring multi-factor authentication is universally applied.

The exposure window is substantial. Security researchers estimate more than 438,000 SonicWall devices are currently visible to the public internet, representing a large potential pool of targets. Misconfiguration alone, when combined with old vulnerabilities, provides attackers with an efficient entry point into enterprise networks.

The issue has also drawn attention from Bitsight, which in August identified new vulnerabilities in SonicWall SMA100 appliances (CVE-2025-40596 through CVE-2025-40599). While those flaws could theoretically permit remote code execution, there have been no confirmed reports of Akira actors exploiting them. Still, security experts warn that ransomware operators often incorporate fresh CVEs within months of disclosure, making swift patching essential.

Akira affiliates are also employing increasingly sophisticated post-exploitation techniques. Research from GuidePoint shows that they may be deploying legitimate drivers such as rwdrv.sys and malicious ones like hlpdrv.sys to disable Microsoft Defender and other endpoint protection tools. By targeting antivirus and EDR systems directly, the attackers increase their chances of successfully executing ransomware payloads without interruption.

The attack chain itself is not novel—relying largely on known flaws, poor credential hygiene, and opportunistic targeting. But the speed and coordination observed suggest that Akira operators are refining their playbooks. According to security professionals, this underscores that ransomware groups do not always need to rely on undiscovered zero-days to be effective. In many cases, they simply exploit the lag in enterprise patching and the persistence of weak credentials.

Mitigation steps have been repeatedly reinforced across the security community. SonicWall has issued multiple patches and urged customers to upgrade to the latest firmware, including SonicOS version 7.3.0, which incorporates enhanced security features. Beyond patching, experts highlight configuration hardening, limiting SSLVPN exposure, and enabling Botnet and Geo-IP filtering. Implementing zero-trust principles and reviewing access privileges can also reduce the risk of rapid compromise.

Legal and compliance experts have added that the ongoing attacks reinforce the importance of timely patch management as part of governance, risk, and compliance frameworks. Organizations in regulated industries could face heightened scrutiny if breaches are traced back to known but unpatched vulnerabilities.

Despite the severity of the current campaign, there is still time for organizations to act. As Arctic Wolf stressed, “patching, configuration review, and access controls are the strongest lines of defense against Akira’s tactics.” Bitsight echoed the same urgency, cautioning that “organizations cannot afford to treat legacy flaws as low priority when ransomware groups are clearly still exploiting them.”

The resurgence of Akira’s focus on SonicWall highlights a recurring theme in cybersecurity: attackers thrive not only on cutting-edge exploits but also on the industry’s collective difficulty in maintaining consistent hygiene. In this case, the lessons are clear. Patch quickly, audit frequently, and assume that opportunistic actors will continue to search for and exploit every unguarded system.


 

Loading
Share via
Copy link
Powered by Social Snap