- Akira Ransomware utilizes a year old Sonicwall SSLVPN error targeting non-bound Gen5-Gen7 Firewalls
- Attackers also abuses default LDAP group settings and public access to the virtual office portal
- Rapid7 warns that Akira combines more weaknesses and encourages companies to patch systems
A vulnerability in Sonicwall’s SSLVPN deposits that were discovered and patched more than a year ago is now being abused by Akira Ransomware operators, warns security researchers.
Miscreants go after companies that have not yet used patched or otherwise reduced the risk.
In a recently published security counseling, experts from RAPID7 said that a wrong access to access control control for SSLVPN affecting Gen5, Gen6 and Gen7 Firewall Appliances has seen an Uptick in abuse that starts in August 2025.
Combination of risks
Rapid7 also said Akira uses other means to gain unauthorized access, in addition to targeting outdated firewall deposits. It said Sonicwall published additional security guidance around Firewall’s standard user group security risk, a risk that can provide access to the Services based on standard LDAP group configurations (in some cases). This gives users without appropriate permissions to access SSLVPN.
The threat actors also gain access to the virtual office portal hosted by Sonicwall appliances, the clothing further stated. This service can be used to originally configure MFA/TOTP configurations for SSLVPN users and, in certain standard configurations, provides public access to the portal, which allows misunderstandings to configure MFA/TOTP with valid, previously exposed accounts.
“Proof collected during the Rapid7 studies suggests that the Akira group potentially uses a combination of all three of these security risks to gain unauthorized access and perform ransomware operations,” the researchers warned.
In order to mitigate the risk, companies rotate passwords in all Sonicwall accounts, ensure that MFA policies are configured correctly and checks if virtual office portal is limited to LAN/Internal access (or trusted network access). Other mitigation includes monitoring access to the virtual office portal and make sure everything is patched up.
Akira has been active for at least two years now and is known for aggressively targeting edge units, the researchers concluded.
