Ethical Hacking News
SonicWall SSL VPN Flaw Exposed: Akira Ransomware Hackers Take Advantage of Misconfigurations
A recent vulnerability discovered in SonicWall's SSL VPN module has been exploited by the Akira ransomware group, which is actively targeting these devices as part of their initial access strategy. To mitigate this risk, organizations must take immediate action to secure their networks and prevent unauthorized access.
SonicWall's SSL VPN module is vulnerable to exploitation by the Akira ransomware group, allowing attackers to gain unauthorized access to sensitive systems and data. The vulnerability relates to local user passwords being handled during the migration process for SSL VPNs on SonicWall firewalls, potentially leading to compromised credentials falling into the wrong hands. Threat actors are utilizing this vulnerability to brute-force user credentials on SonicWall appliances and bypass intended access controls by exploiting default configurations related to LDAP (Lightweight Directory Access Protocol) SSL VPN user groups. The Akira ransomware group has been actively targeting vulnerable SonicWall SSL VPN devices as part of their operations, striking several organizations in Australia and other countries. Organizations using SonicWall firewalls are advised to rotate passwords, remove unused accounts, configure MFA/TOTP policies, and restrict Virtual Office Portal access to mitigate this risk.
SonicWall, a leading provider of network security solutions, has recently faced a significant challenge to its reputation following reports of widespread exploitation by the Akira ransomware group. The vulnerability, which was first discovered in 2024 and had a critical CVSS score of 9.3, relates to the SSL VPN module within SonicWall firewalls.
According to Rapid7, a cybersecurity firm that has been monitoring the situation, there has been a significant spike in intrusions involving SonicWall appliances over the past month. This surge in activity is largely attributed to the Akira ransomware group, which has been actively targeting these devices as part of their initial access strategy.
The vulnerability in question relates to the way local user passwords are handled during the migration process for SSL VPNs on SonicWall firewalls. In certain configurations, this can lead to passwords not being reset, resulting in compromised credentials falling into the wrong hands. This has significant implications for network security, as it allows attackers to gain unauthorized access to sensitive systems and data.
Rapid7 observed that threat actors are utilizing this vulnerability to brute-force user credentials on SonicWall appliances. In some cases, they have also managed to bypass intended access controls by exploiting default configurations related to LDAP (Lightweight Directory Access Protocol) SSL VPN user groups.
This setup allows attackers to add every successfully authenticated LDAP user to a predefined local group, regardless of their actual membership in Active Directory. If this default group has access to sensitive services such as the Virtual Office Portal or unrestricted network zones, then any compromised AD account will instantly inherit those permissions. This effectively bypasses intended AD group-based access controls.
In certain cases, threat actors have also managed to gain access to the Virtual Office Portal hosted by SonicWall appliances. In default configurations, this can facilitate public access and allow attackers to configure Multi-Factor Authentication (MFA) or Time-Based One-Time Passwords (TOTP) using valid accounts. If there is prior credential exposure, this enables attackers to easily gain remote access via Quick Assist.
The Akira ransomware group has been actively targeting vulnerable SonicWall SSL VPN devices as part of their operations. According to Australian Cyber Security Centre (ACSC), they have struck several organizations in Australia through these compromised devices. The threat actors are reportedly utilizing a combination of all three security risks to gain unauthorized access and conduct ransomware operations.
To mitigate this risk, organizations are advised to take several steps. Firstly, they should rotate passwords on all SonicWall local accounts immediately. Secondly, any unused or inactive SonicWall local accounts should be removed. Thirdly, MFA/TOTP policies should be configured to prevent attackers from easily gaining access. Finally, Virtual Office Portal access should be restricted to the internal network.
The Akira ransomware group has been a persistent threat in the ransomware landscape since its debut in March 2023. As of August 2025, it had claimed 967 victims worldwide, according to Ransomware.Live. The group was reported to have carried out 40 attacks in July 2025 alone, with Qilin and INC Ransomware families taking up the top three spots for industrial entities targeted by ransomware in Q2 2025.
Dragos noted that Akira maintained "substantial activity" during this time, targeting manufacturing and transportation sectors through sophisticated phishing campaigns and multi-platform ransomware deployments. The group's modus operandi involves leveraging search engine optimization (SEO) poisoning techniques to deliver trojanized installers for popular IT management tools, which then deploy Bumblebee malware loader.
AdaptixC2, an open-source framework developed by threat actors, plays a key role in these operations. According to Palo Alto Networks Unit 42, the versatility and modularity of AdaptixC2 allow it to execute commands, transfer files, and perform data exfiltration on infected systems. The group has been using this framework to drop Bumblebee malware loader, which is then used as a conduit for other malicious payloads.
Other campaigns utilizing AdaptixC2 have utilized Microsoft Teams calls mimicking IT help desk interactions to trick unsuspecting users into granting remote access via Quick Assist and running PowerShell scripts that decrypt and load the shellcode payload. This demonstrates the adaptability of the Akira ransomware group, which continues to evolve and innovate its attack methods.
The attack flow typically involves obtaining initial access via the SSLVPN component, escalating privileges to an elevated account or service account, locating and stealing sensitive files from network shares or file servers, deleting or stopping backups, and deploying ransomware encryption at the hypervisor level. By exploiting this vulnerability in their operations, Akira ransomware hackers are able to bypass traditional security controls and access critical systems.
In conclusion, SonicWall's SSL VPN flaw has exposed a significant vulnerability that can be exploited by malicious actors like the Akira ransomware group. Organizations using these firewalls must take immediate action to mitigate this risk by rotating passwords, removing unused accounts, configuring MFA/TOTP policies, and restricting Virtual Office Portal access. The adaptability of the Akira ransomware group highlights the importance of continuous monitoring and threat intelligence in maintaining network security.
Related Information:
https://www.ethicalhackingnews.com/articles/SonicWall-SSL-VPN-Flaw-Exposed-Akira-Ransomware-Hackers-Take-Advantage-of-Misconfigurations-ehn.shtml
https://thehackernews.com/2025/09/sonicwall-ssl-vpn-flaw-and.html
Published: Thu Sep 11 07:34:53 2025 by llama3.2 3B Q4_K_M
