- From mid-July 2025, there’s been an uptick in malicious logins
- Researchers speculate criminals found a zero-day
- Users are advised to strengthen their cybersecurity posture
There is a chance SonicWall SSL VPN devices are carrying a zero-day vulnerability that Akira’s cybercriminals discovered, and are now using in the wild.
As of mid-July 2025, cybersecurity researchers Arctic Wolf Labs observed an uptick in malicious logins, all coming through SonicWall SSL VPN instances. Since some of the endpoints were fully patched at the time of the intrusion, the researchers speculate that they might contain a zero-day flaw.
However, they haven’t ruled out the possibility the attackers just obtained a set of active login credentials from somewhere and used them to gain access.
On the FBI’s radar
In any case, organizations that suffered these malicious logins also got infected with the Akira ransomware soon after.
“A short interval was observed between initial SSL VPN account access and ransomware encryption,” the researchers explained. “In contrast with legitimate VPN logins which typically originate from networks operated by broadband internet service providers, ransomware groups often use Virtual Private Server hosting for VPN authentication in compromised environments.”
Until SonicWall comes forward with a patch, or at least an explanation, businesses using these VPNs are advised to enforce multi-factor authentication (MFA), delete inactive and unused firewall accounts, and make sure their passwords are fresh, strong, and unique.
Akira is a ransomware strain that first appeared in March 2023, targeting businesses across various sectors. It is known for gaining the initial foothold through compromised VPN credentials and exposed services.
The group targets both Windows and Linux systems, and is known for dismantling backups to hinder recovery. As of mid-2025, Akira has been responsible for attacks on hundreds of organizations globally, including Stanford University, Nissan Australia, and Tietoevry. The group usually directs its victims to contact them via a Tor-based website.
The FBI and CISA have issued warnings about its activity, urging organizations to implement stronger network defenses and multifactor authentication.
Via The Hacker News
Edit – August 6
After the publication of Arctic Wolf’s research, SonicWall reached out to TechRadar Pro with the following statement:
“SonicWall is actively investigating a recent increase in reported cyber incidents involving a number of Gen 7 firewalls running various firmware versions with SSLVPN enabled. These cases have been flagged both internally and by third-party threat research teams, including Arctic Wolf, Google Mandiant, and Huntress. We are working closely with these organizations to determine whether the activity is tied to a previously disclosed vulnerability or represents a zero-day vulnerability.
As always, we will communicate openly with our partners and customers as the investigation progresses. If a new vulnerability is confirmed, we will release updated firmware and guidance as quickly as possible.
As a precaution, we strongly urge customers and partners using Gen 7 firewalls to take immediate mitigation steps:
Disable SSLVPN services where practical – the additional mitigations below should be taken in all cases, including where disabling SSLVPN is not practical for the customer
o Limit SSLVPN connectivity to trusted source IPs.
o Ensure Security Services (e.g., Botnet Protection, Geo-IP Filter) are enabled.
o Remove unused or inactive firewall user accounts.
o Promote strong password hygiene.
o Enforce Multi-Factor Authentication (MFA) for all remote access (MFA enforcement alone may not protect against the activity under investigation).”