- ReliaQuest warns that Akira ransomware often spreads through compromised assets inherited during mergers and acquisitions
- Most infections come from unpatched SonicWall SSL VPN devices exploited for lateral movement and encryption.
- SonicWall recently patched CVE-2025-40601, a high severity buffer overflow flaw affecting Gen7 and Gen8 firewalls
Companies buy and sell other companies all the time, but in addition to customers, profits, a different market, or talented staff, buyers often also receive something unexpected with their acquisition: a ransomware infection.
Cybersecurity researchers ReliaQuest recently published a new report on how the Akira ransomware infects its victims, noting that in each attack it analyzed between June and October 2025, the company was infected through an asset it had previously acquired and that already had compromised hardware on its network.
“In these cases, the acquiring companies did not know that these devices existed in their new environments, leaving critical vulnerabilities exposed,” the blog reveals.
What came first: the news of infection or acquisition?
Most of the time, Akira compromised unpatched SonicWall SSL VPN devices, according to the report, after news broke in mid-July 2025 of a potential new vulnerability in VPN solutions that Akira abused to log in, move laterally, and implement encryption.
In late September, several security teams were warning of infiltrations on SonicWall SSL VPN devices, even though the devices were patched and users had MFA enabled.
The company also released a patch for a high severity vulnerability in its SonicOS SSL VPN service and urged all users to update their firewalls immediately.
In a security advisory, SonicWall said it discovered a stack-based buffer overflow vulnerability that allows an unauthenticated, remote attacker to cause a Denial of Service (DoS) and essentially crash the firewall.
The vulnerability is now tracked as CVE-2025-40601 and has been assigned a severity score of 7.5/10 (High). It affects Gen8 and Gen7 firewalls, both hardware and virtual. Previous models, such as Gen6 firewalls or SMA 1000 and SMA 100 series SSL VPN products, were said to be safe from this bug.
It was unclear whether Akira’s operators targeted companies because they were being acquired, or if they were simply compromised because they used vulnerable equipment and were later acquired.
Through The Registry
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
