SonicWall said it’s actively investigating reports to determine if there is a new zero-day vulnerability following reports of a spike in Akira ransomware actors in late July 2025.
“Over the past 72 hours, there has been a notable increase in both internally and externally reported cyber incidents involving Gen 7 SonicWall firewalls where SSLVPN is enabled,” the network security vendor said in a statement Monday.
“We are actively investigating these incidents to determine whether they are connected to a previously disclosed vulnerability or if a new vulnerability may be responsible.”
While SonicWall is digging deeper, organizations using Gen 7 SonicWall firewalls are advised to follow the steps below until further notice –
- Disable SSL VPN services where practical
- Limit SSL VPN connectivity to trusted IP addresses
- Activate services such as Botnet Protection and Geo-IP Filtering
- Enforce multi-factor authentication
- Remove inactive or unused local user accounts on the firewall, particularly those with SSL VPN access
- Encourage regular password updates across all user accounts
“VPNs are a requirement for many organizations for their employees to access the corporate network, so expecting every customer to disable the service is not viable, but it is the only current way to halt the malicious activity against these devices,” Satnam Narang, senior staff research engineer at Tenable, said.
“While the list of additional security actions organizations can take are valuable in lieu of disabling the VPN, it is highly advised that organizations initiate incident response to determine their exposure.”
The development comes shortly after Arctic Wolf revealed it had identified a surge in Akira ransomware activity targeting SonicWall SSL VPN devices for initial access since late last month.
Huntress, in a follow-up analysis published Monday, also said it has observed threat actors pivoting directly to domain controllers merely a few hours after the initial breach.
Attack chains commence with the breach of the SonicWall appliance, followed by the attackers taking a “well-worn” post-exploitation path to conduct enumeration, detection evasion, lateral movement, and credential theft.
The incidents also involve the bad actors methodically disabling Microsoft Defender Antivirus and deleting volume shadow copies prior to deploying Akira ransomware.
Huntress said it detected around 20 different attacks tied to the latest attack wave starting on July 25, 2025, with variations observed in the tradecraft used to pull them off, including in the use of tools for reconnaissance and persistence, such as AnyDesk, ScreenConnect, or SSH.
In a statement shared with The Hacker News, the company said all the identified incidents were related to Akira ransomware, although there were instances where the attackers did not succeed in their efforts.
“Some may have not been successful in fully encrypting the targets, but they gained access and would have most likely tried to encrypt the environment if they had been given the chance,” Huntress said. “We know that these actors were Akira related because they operated similarly to what we’ve seen from them in the past, or there were readme files, or executables directly linking them.”
There is evidence to suggest that the activity may be limited to TZ and NSa-series SonicWall firewalls with SSL VPN enabled, and that the suspected flaw exists in firmware versions 7.2.0-7015 and earlier.
“The speed and success of these attacks, even against environments with MFA enabled, strongly suggest a zero-day vulnerability is being exploited in the wild,” the cybersecurity company said. “This is a critical, ongoing threat.”
Update
In a report published August 5, 2025, GuidePoint Security disclosed that the Akira ransomware actors have leveraged two Windows drivers, rwdrv.sys, a legitimate driver for a Windows performance tuning utility called ThrottleStop, and hlpdrv.sys, as part of a Bring Your Own Vulnerable Driver (BYOVD) exploitation chain to disarm antivirus (AV) solutions.
“We have observed Akira affiliates registering [rwdrv.sys] as a service and we assess that this driver is used to gain kernel-level access to the impacted device,” Jason Baker said.
“The second driver, hlpdrv.sys, is similarly registered as a service. When executed, it modifies the DisableAntiSpyware settings of Windows Defender within \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware. The malware accomplishes this via execution of regedit.exe.”
GuidePoint also theorized that the legitimate rwdrv.sys driver may have been utilized by the attackers to facilitate the execution of hlpdrv.sys. However, the exact mechanism used to pull this off remains unknown.
Interestingly, another driver associated with ThrottleStop (“ThrottleBlood.sys”) has also been abused in the wild to kill antivirus software via BYOVD attack and execute MedusaLocker ransomware. The malicious artifact used to pull this off has been detected in the wild since October 2024.
“The adversary gained access to the initial system, an SMTP server, through a valid RDP credential,” Kaspersky said. “They then extracted other users’ credentials with Mimikatz and performed lateral movement using the pass-the-hash technique. The attacker achieved their objective by disabling the AV in place on various endpoints and servers across the network and executing a variant of the MedusaLocker ransomware.”
In recent months, Akira ransomware infections have also been propagated via search engine optimization (SEO) poisoning techniques, with searches for IT management tools like “ManageEngine OpManager” on Microsoft Bing leading users to bogus sites that deliver a trojanized installer, which then drops the Bumblebee malware loader.
The initial access afforded by the malware is leveraged for initial reconnaissance and the deployment of a legitimate post-exploitation and adversarial emulation framework called AdaptixC2 for persistent remote access.
“Following initial access, the threat actor moved laterally to a domain controller, dumped credentials, installed persistent remote access tools, and exfiltrated data using an SFTP client,” The DFIR Report said. “The intrusion culminated in the deployment of Akira ransomware across the root domain.”
(The story was updated after publication to include insights from The DFIR Report, GuidePoint Security, Huntress, Kaspersky, and Tenable.)
