More than a year after SonicWall released a patch for CVE-2024-40766, a critical vulnerability affecting its next-generation firewalls, attackers linked to the Akira ransomware-as-a-service operation continue to exploit the flaw to breach organizations.
Similar to incidents in September 2024 and earlier this year, affiliates of the Akira group are behind the latest wave of attacks. The spike observed in July 2025 was partly due to organizations upgrading from Gen 6 to Gen 7 SonicWall firewalls without resetting local user passwords as recommended by SonicWall.
Attackers have also expanded their techniques. According to Rapid7’s Incident Response team, there has been “an uptick in intrusions involving SonicWall appliances” since early August 2025. Their findings indicate that the Akira group may be chaining together three different security weaknesses to gain access and deploy ransomware.
CVE-2024-40766, which remains unpatched in some environments.
A misconfiguration in the SSLVPN Default Users Group setting. SonicWall explains:
“This setting automatically adds every successfully authenticated LDAP user to a predefined local group, regardless of their actual membership in Active Directory. If that default group has access to sensitive services – such as SSL VPN, administrative interfaces, or unrestricted network zones – then any compromised AD account, even one with no legitimate need for those services, will instantly inherit those permissions.”
“This effectively bypasses intended AD group-based access controls, giving attackers a direct path into the network perimeter as soon as they obtain valid credentials.”
Abuse of the Virtual Office Portal feature in SonicWall appliances, which attackers are using to configure MFA/TOTP on already compromised accounts.
The Australian Cyber Security Centre (ACSC) has also issued warnings about increased Akira activity targeting Australian entities via CVE-2024-40766.
According to Rapid7, the attackers’ method remains consistent: they gain entry through the SSLVPN component, escalate privileges to elevated or service accounts, exfiltrate sensitive data from file servers and network shares, disable or delete backups, and finally execute ransomware at the hypervisor layer.
Recommended Mitigations
Organizations relying on SonicWall firewalls are advised to:
- Rotate passwords on all SonicWall local accounts and delete unused ones.
- Enforce MFA/TOTP for SSLVPN services.
- Set the Default LDAP User Group to “None.”
- Restrict Virtual Office Portal access to trusted local networks and closely monitor usage.
- Ensure all appliances run the latest firmware updates.
SonicWall recently highlighted that SonicOS 7.3.0 introduces additional protections against brute-force attacks and enhanced MFA controls, providing stronger defense against ransomware intrusions.