Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Akira Ransomware exploits year-old SonicWall flaw with multiple vectors

Researchers warn that Akira ransomware group is exploiting a year-old SonicWall firewall flaw, likely using three attack vectors for initial access. The Akira ransomware group is exploiting a year-old SonicWall firewall vulnerability, tracked as CVE-2024-40766 (CVSS score of 9.3), likely using three attack vectors for initial access, according to Rapid7. “Evidence collected during Rapid7’s investigations […]

SonicWall SonicOS

Researchers warn that Akira ransomware group is exploiting a year-old SonicWall firewall flaw, likely using three attack vectors for initial access.

The Akira ransomware group is exploiting a year-old SonicWall firewall vulnerability, tracked as CVE-2024-40766 (CVSS score of 9.3), likely using three attack vectors for initial access, according to Rapid7.

“Evidence collected during Rapid7’s investigations suggests that the Akira group is potentially utilizing a combination of all three of these security risks to gain unauthorized access and conduct ransomware operations.” reads the report published by Rapid7.

The vulnerability is an improper access control issue that resides in the SonicWall SonicOS management access. An attacker can exploit the issue to achieve unauthorized access to the devices.

SonicWall addressed the critical flaw in its firewalls in August 2024, and the US CISA added it to its Known Exploited Vulnerabilities (KEV) catalog in September 2024.

In August 2025, SonicWall investigated claims of a zero-day being used in ransomware attacks but found no evidence of any new vulnerability in its products.

SonicWall launched the investigation after a surge in Akira ransomware attacks targeting Gen 7 firewalls with SSLVPN enabled. The company worked to determine if the incidents stem from an existing flaw or a newly discovered vulnerability.

SonicWall later confirmed that there’s no zero-day involved in recent ransomware attacks, but rather the exploitation of a known flaw, CVE-2024-40766. While many systems have since been patched, attackers can still access them if credentials weren’t changed. Fewer than 40 related incidents are under investigation by SonicWall, mostly tied to firewall migrations.

“We now have high confidence that the recent SSLVPN activity is not connected to a zero-day vulnerability. Instead, there is a significant correlation with threat activity related to CVE-2024-40766, which was previously disclosed and documented in our public advisory SNWLID-2024-0015.” reads the advisory published by the security vendor. 

“We are currently investigating less than 40 incidents related to this cyber activity. Many of the incidents relate to migrations from Gen 6 to Gen 7 firewalls, where local user passwords were carried over during the migration and not reset.  Resetting passwords was a critical step outlined in the original advisory.  “

SonicWall issued new guidance on the SSLVPN Default Users Group risk, which may grant unauthorized access in certain LDAP setups. Rapid7 also found threat actors abusing the Virtual Office Portal to configure MFA/TOTP with exposed credentials. Evidence suggests Akira ransomware is exploiting a mix of these flaws for attacks.

“Evidence collected during Rapid7’s investigations suggests that the Akira group is potentially utilizing a combination of all three of these security risks to gain unauthorized access and conduct ransomware operations.” continues the report.

Rapid7 urges SonicWall users to secure accounts, enable MFA, fix SSLVPN Default Groups risk, restrict and monitor the Virtual Office Portal, and apply security patches.

The Akira ransomware has been active since March 2023, the threat actors behind the malware claim to have already hacked multiple organizations in multiple industries, including education, finance, and real estate. Like other ransomware gangs, the group has developed a Linux encryptor to target VMware ESXi servers.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Akira ransomware)