This long-exposed SonicWall flaw is being used to infect organizations with Akira ransomware - so patch now

News
By published

A bug patched a year ago is being leveraged

Best free Linux firewalls
Image credit: Pixabay (Image credit: Pixabay)
  • Akira ransomware is exploiting a year-old SonicWall SSLVPN flaw, targeting unpatched Gen5–Gen7 firewalls
  • Attackers also abuse default LDAP group settings and public access to the Virtual Office Portal
  • Rapid7 warns that Akira combines multiple weaknesses, urging businesses to patch systems

A vulnerability in SonicWall’s SSLVPN instances, discovered and patched more than a year ago, is now being abused by Akira ransomware operators, security researchers are warning.

The miscreants are going after companies that did not yet apply the patch, or otherwise mitigate the risk.

In a newly published security advisory, experts from Rapid7 said that an improper access control vulnerability for SSLVPN, affecting Gen5, Gen6, and Gen7 firewall appliances, has seen an uptick in abuse, starting in August 2025.

Combining risks

Rapid7 also said that Akira is using other means to gain unauthorized access, besides targeting outdated firewall instances. It said that SonicWall posted additional security guidance around the firewall’s Default Users Group Security Risk, a risk which can provision access to the services based on the Default LDAP group configurations (in some instances). This allows users without proper permissions to gain access to the SSLVPN.

The threat actors are also accessing the Virtual Office Portal hosted by SonicWall appliances, the outfit further stated. This service can be used to initially set up MFA/TOTP configurations for SSLVPN users and, in certain default configurations, allows public access to the portal, which allows miscreants to configure MFA/TOTP with valid, previously exposed, accounts.

“Evidence collected during Rapid7’s investigations suggests that the Akira group is potentially utilizing a combination of all three of these security risks to gain unauthorized access and conduct ransomware operations,” the researchers warned.

To mitigate the risk, businesses should rotate passwords on all SonicWall accounts, ensure MFA policies are properly configured, and check if Virtual Office Portal is restricted to LAN/internal access (or trusted network access only). Other mitigations include monitoring access to the Virtual Office Portal and making sure everything’s patched up.

Akira has been active for at least two years now, and is known for aggressively targeting edge devices, the researchers concluded.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.