SonicWall SSL VPN Zero-Day Targeted by Akira Ransomware

On August 5, 2025, cybersecurity researchers revealed that the Akira ransomware group is actively exploiting a zero-day vulnerability in SonicWall SSL VPN appliances, particularly in TZ and NSa series firmware versions prior to 7.2.0‑7015. Organizations began reporting attacks starting July 25, with hackers infiltrating VPNs, quickly pivoting to domain controllers, disabling antivirus tools, and deleting backups before deploying ransomware. This wave appears to include at least 20 confirmed incidents and underscores the urgency of applying patches or taking vulnerable systems offline immediately.

Why It Matters

• Critical Access Point Breached: SonicWall SSL VPNs are often used for remote access, exposing entire networks when compromised.
• Bypassing Defenses: Attackers disabled endpoint protection and deleted volume shadow copies, preventing recovery and evading detection.
• High Speed Escalation: Many incidents saw attackers move from initial breach to domain-wide control in just a few hours.
• Broad Impact: This isn’t isolated—numerous organizations globally are affected by this campaign.

Recommended Actions

• Patch immediately if you’re running SonicWall firmware version 7.2.0‑7015 or earlier.
• Temporarily disable SSL VPN services if patches aren’t yet available.
• Deploy phishing-resistant multi-factor authentication (e.g. FIDO/WebAuthn) across remote access points.
• Harden domain controllers, audit VPN usage, and restore encrypted offline backups.
• Monitor for atypical logins or abnormal lateral movements.