- Akira ransomware is exploiting a year-old SonicWall SSLVPN flaw, targeting unpatched Gen5–Gen7 firewalls
- Attackers also abuse default LDAP group settings and public access to the Virtual Office Portal
- Rapid7 warns that Akira combines multiple weaknesses, urging businesses to patch systems
A vulnerability in SonicWall’s SSLVPN instances, discovered and patched more than a year ago, is now being abused by Akira ransomware operators, security researchers are warning.
The miscreants are going after companies that did not yet apply the patch, or otherwise mitigate the risk.
In a newly published security advisory, experts from Rapid7 said that an improper access control vulnerability for SSLVPN, affecting Gen5, Gen6, and Gen7 firewall appliances, has seen an uptick in abuse, starting in August 2025.
Combining risks
Rapid7 also said that Akira is using other means to gain unauthorized access, besides targeting outdated firewall instances. It said that SonicWall posted additional security guidance around the firewall’s Default Users Group Security Risk, a risk which can provision access to the services based on the Default LDAP group configurations (in some instances). This allows users without proper permissions to gain access to the SSLVPN.
The threat actors are also accessing the Virtual Office Portal hosted by SonicWall appliances, the outfit further stated. This service can be used to initially set up MFA/TOTP configurations for SSLVPN users and, in certain default configurations, allows public access to the portal, which allows miscreants to configure MFA/TOTP with valid, previously exposed, accounts.
“Evidence collected during Rapid7’s investigations suggests that the Akira group is potentially utilizing a combination of all three of these security risks to gain unauthorized access and conduct ransomware operations,” the researchers warned.
To mitigate the risk, businesses should rotate passwords on all SonicWall accounts, ensure MFA policies are properly configured, and check if Virtual Office Portal is restricted to LAN/internal access (or trusted network access only). Other mitigations include monitoring access to the Virtual Office Portal and making sure everything’s patched up.
Akira has been active for at least two years now, and is known for aggressively targeting edge devices, the researchers concluded.
