Akira Ransomware Exploits Unpatched SonicWall Flaws: Are You at Risk?

by ddos · September 12, 2025

In August 2024, SonicWall issued security advisory SNWLID-2024-0015, disclosing an improper access control vulnerability in SSLVPN across Gen5, Gen6, and Gen7 devices. The flaw enabled attackers to bypass restrictions and gain access under specific conditions. Although the company released patches and declared the issue resolved, it later emerged that a number of systems remained improperly secured.

By September, a new wave of attacks surfaced, with operators of the Akira ransomware actively exploiting vulnerable SonicWall devices. Initially believed to be a fresh campaign, SonicWall later clarified that these incidents were in fact consequences of the August defect, triggered where administrators had failed to complete the full cycle of updates and configuration. Rapid7 corroborated this assessment, issuing urgent client alerts and urging organizations to finalize remediation steps. Its incident response team observed a marked increase in intrusions via SonicWall appliances.

SonicWall subsequently highlighted additional risks tied to the Default Users Group Security flaw. In certain LDAP configurations, users who should have been barred from SSLVPN access could nonetheless authenticate and log in. Rapid7 also identified abuses of the Virtual Office Portal, a built-in interface for configuring MFA/TOTP on SonicWall devices. When publicly exposed, the portal could allow attackers to activate two-factor authentication on legitimate accounts—provided they had already obtained valid credentials. Evidence suggests the Akira group combines all three vectors—the August access control defect, the Default Users Group weakness, and Virtual Office Portal exploitation—into a consolidated attack chain, ultimately delivering its ransomware payload.

Operating since early 2023 under the Ransomware-as-a-Service (RaaS) model, Akira is notorious for targeting edge devices. A typical intrusion begins with entry through SSLVPN, escalation to service account privileges, exfiltration of sensitive data from servers, disabling of backup systems, and finally, encryption of entire infrastructures at the hypervisor level.

To mitigate these threats, Rapid7 advises administrators to:

Reset passwords for all local SonicWall accounts and remove unused ones.
Enforce MFA for SSLVPN logins.
Eliminate excessive privileges from Default Groups.
Restrict Virtual Office Portal access to trusted networks only, and monitor activity on port 4433.
Confirm installation of the latest firmware updates.
Isolate and render backups immutable.
Keep virtualization software fully updated.
Rigorously monitor privileged account usage via Group Policy.
Forward logs to a SIEM solution for enhanced visibility.

Such layered defenses are essential to reduce the likelihood of compromise and to contain the damage should attackers gain an initial foothold.