A surge in Akira ransomware attacks targeting SonicWall SSL VPN connections has been observed since mid-July 2025, primarily exploiting unpatched versions of SonicOS. Attackers gain unauthorized access, often bypassing Multi-Factor Authentication (MFA), and can quickly escalate to data encryption and exfiltration within hours. SonicWall has issued patches for a critical zero-day vulnerability, but many devices remain vulnerable as of 2025.

Ongoing Akira ransomware attacks are successfully breaching SonicWall SSL VPN accounts even with one-time password (OTP) multi-factor authentication enabled. This exploitation is linked to previously stolen OTP seeds and an improper access control vulnerability (CVE-2024-40766), prompting SonicWall to recommend that administrators reset VPN credentials and ensure devices are running the latest firmware.

SonicWall is investigating a surge of ransomware incidents affecting its Gen 7 firewalls, linked to a potential zero-day vulnerability in its SSL VPN services. The company is collaborating with third-party threat research teams to assess the situation and has advised customers to disable SSL VPN services where feasible and implement security measures to mitigate risks. Previous attacks have exploited similar vulnerabilities, highlighting ongoing concerns about the security of SonicWall's products.