- Akira ransomware is exploiting a one-year SSICWAL SSLVPN failure, aimed at the Gen5-Gen7 Firewalls
- The attackers also abuse the configuration of the predetermined LDAP group and public access to the virtual office portal
- Rapid7 warns that Akira combines multiple weaknesses, urging companies to systems patches
A vulnerability in the SSLVPN of Sonicwall, discovered and patching more than a year ago, is being abused by Akira’s ransomware operators, security researchers are warning.
Criminals pursue companies that still did not apply the patch, or mitigate the risk.
In a recently published security notice, Rapid7 experts said that an inadequate vulnerability of access control for SSLVPN, which affects Gen5, Gen6 and Gen7 Firewall appliances has seen an increase in abuse, as of August 2025.
Combination of risks
Rapid7 also said that Akira is using other means to obtain unauthorized access, in addition to attacking obsolete firewall instances. He said Sonicwall published an additional security guide on the security risk of the Firewall predetermined user group, a risk that can take advantage of access to services based on predetermined configurations of the LDAP group (in some cases). This allows users without adequate permits to access SSLVPN.
Threat actors are also accessing the virtual office portal organized by Sonicwall appliances, according to the outfit. This service can be used to initially configure MFA/TOTP settings for SSLVPN users and, in certain default settings, allows public access to the portal, allowing criminals to configure MFA/TOTP with valid, previously exposed accounts.
“The evidence collected during Rapid7 investigations suggests that the Akira group is potentially using a combination of these three security risks to obtain unauthorized access and perform ransomware operations,” the researchers warned.
To mitigate the risk, companies must rotate passwords in all Sonicwall accounts, ensure that MFA policies are correctly configured and verify if the Virtual Office portal is restricted to LAN/internal access (or only access to the reliable network). Other mitigations include monitoring access to the virtual office portal and making sure everything is a pairing.
Akira has been active for at least two years, and is known for aggressively attacking edge devices, the researchers concluded.
