An Akira ransomware campaign is specifically targeting SonicWall SSL VPN devices. Attackers are actively exploiting these vulnerabilities to gain unauthorized access to corporate networks. Review the details in this Cybersecurity Threat Advisory to learn more and see recommended steps to protect your network.
What is the threat?
The Akira ransomware group has launched a targeted campaign against SonicWall SSL VPN appliances, exploiting what appears to be a previously unknown vulnerability. Notably, even fully patched devices are affected—suggesting the presence of a zero-day exploit.
Initial breaches typically begin with unauthorized VPN access, bypassing multi-factor authentication and other security controls. Once inside, attackers escalate privileges and deploy ransomware, locking systems and disrupting operations.
The campaign began around July 15, 2025, and has since intensified—indicating a coordinated effort to compromise remote access infrastructure.
Why is it noteworthy?
This targeted campaign is sophisticated, rapidly deployed, and easily scalable. Akira’s ability to bypass trusted security mechanisms—such as multi-factor authentication and enterprise-grade VPN appliances—signals a troubling evolution in ransomware tactics.
The suspected zero-day vulnerability enables attackers to infiltrate networks undetected, making SonicWall SSL VPNs high-value targets. These devices are used for secure remote access, meaning the impact could span multiple sectors and geographies.
What’s especially concerning is the absence of official mitigation guidance. Without a patch or workaround, organizations must rely on vigilant monitoring and proactive threat detection to defend against this rapidly evolving threat.
What is the exposure or risk?
Organizations using SonicWall SSL VPNs face an elevated risk of compromise. Once attackers gain access, they can move laterally across internal networks, exfiltrate sensitive data, disable security tools, and ultimately deploy ransomware to encrypt files and disrupt operations. The financial and reputational damage from such an attack can be severe. If left unaddressed, this vulnerability could lead to widespread breaches—particularly in sectors that rely heavily on SonicWall for secure remote connectivity.
What are the recommendations?
Barracuda recommends the following actions to protect your environment against this threat:
- Disable SonicWall SSL VPN, if possible, until a patch is released.
- Limit SSL VPN connections to trusted source IPs.
- Enable security services on your SonicWall devices such as “botnet protection” and “Geo-IP Filtering”.
- Enable MFA for all remove access connections.
- Perform an audit of all accounts and remove those that are no longer active.
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2025/08/akira-ransomware-exploits-sonicwall.html?m=1
- https://www.helpnetsecurity.com/2025/08/04/sonicwall-firewalls-ssl-vpn-ransomware-akira/
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.