Analysis Summary

A critical cybersecurity threat has emerged involving a suspected zero-day vulnerability in SonicWall firewall devices, actively exploited by the Akira ransomware group. This flaw, suspected to reside in SonicWall's SSL VPN feature, enables attackers to gain unauthorized access to corporate networks, often even on fully patched systems. Notably, some incidents revealed that attackers were able to bypass multi-factor authentication (MFA), suggesting a highly advanced exploit mechanism. Since mid-July 2025, there has been a marked spike in such intrusions, confirming this as a widespread and pressing issue.

Security analysts traced the source of VPN login attempts to IP addresses owned by Virtual Private Server (VPS) hosting providers, not typical business or residential users, further indicating the use of anonymized infrastructure by attackers. In some cases, there was a minimal delay between the initial breach and ransomware deployment, giving organizations little time to detect or respond. This campaign appears to be a continuation of malicious activity dating back to at least October 2024 but shows a new level of aggression and success rate, emphasizing the urgency of the situation.

In response, Researcher, has advised all organizations to immediately disable the SonicWall SSL VPN until an official patch is released. This temporary but crucial step is meant to cut off the main vector of access used in these attacks. Additional security recommendations include enabling SonicWall’s built-in features like Botnet Protection, enforcing MFA on all remote access, ensuring strong password policies with regular updates, and removing any unused VPN-enabled local accounts. These measures aim to reduce exposure while the vulnerability remains unpatched.

Administrators are further urged to block VPN login attempts originating from known malicious Autonomous System Numbers (ASNs), especially those tied to VPS providers used in the campaign. Though these networks aren't inherently harmful, their role in recent VPN abuse is highly suspicious. Investigators have also spotlighted older, end-of-life SonicWall SMA 100 series appliances, linking them to a covert operation involving a zero-day remote code execution flaw paired with a backdoor dubbed "OVERSTEP." As Researcher, continues its investigation, all SonicWall users are strongly encouraged to reassess their defenses and take immediate action to prevent compromise.

Impact

• Unauthorized Access
• Security Bypass

Remediation

• Immediately disable SonicWall SSL VPN service to prevent attackers from leveraging the suspected zero-day vulnerability for initial access.
• Enable SonicWall security services, including features like Botnet Protection and Intrusion Prevention, to detect and block malicious activity.
• Enforce Multi-Factor Authentication (MFA) on all remote access accounts to add an extra layer of protection despite evidence of some bypasses, it remains a key defense.
• Implement strong password policies, including complex, unique passwords with regular mandatory updates across all user accounts.
• Remove unused or inactive local user accounts, especially those with VPN access, to reduce the potential attack surface.
• Block VPN login attempts from known suspicious Autonomous System Numbers (ASNs) linked to VPS providers commonly used by attackers.
• Regularly audit firewall and VPN logs to detect unusual login patterns or connections from unexpected IP ranges.
• Ensure systems are updated and patched as soon as official security fixes are released by SonicWall.
• Monitor for threat intelligence updates from sources like Arctic Wolf Labs for evolving indicators of compromise and further mitigation guidance.