CyberHappenings logo
โ˜ฐ
๐Ÿ  Home ๐Ÿ“‚ Browse โ„น๏ธ About

Akira Ransomware Exploits SonicWall SSL VPN Flaws and Misconfigurations

First reported
Last updated
๐Ÿ“ฐ 2 unique sources, 2 articles

Summary

Hide โ–ฒ

The Akira ransomware group has been actively exploiting vulnerabilities and misconfigurations in SonicWall SSL VPN devices to gain initial access to networks. This campaign has seen increased activity since late July 2025, targeting organizations globally, including those in Australia. The attacks leverage a year-old flaw (CVE-2024-40766) and misconfigured LDAP settings to bypass access controls and facilitate ransomware deployment. The threat actors use a combination of brute-forcing credentials, exploiting default configurations, and leveraging the Virtual Office Portal to configure multi-factor authentication (MFA) with valid accounts. These tactics allow them to bypass security measures and gain unauthorized access to networks. SonicWall has confirmed that recent SSLVPN activity is related to CVE-2024-40766, not a zero-day vulnerability. The affected firewall versions include specific models of Gen 5, Gen 6, and Gen 7 devices. Organizations are advised to update to firmware version 7.3.0 or later, rotate passwords, enforce MFA, mitigate the SSLVPN Default Groups risk, and restrict Virtual Office Portal access to trusted/internal networks to mitigate risks.

Timeline

  1. 11.09.2025 13:33 ๐Ÿ“ฐ 2 articles

    Akira Ransomware Exploits SonicWall SSL VPN Flaws and Misconfigurations

    Since late July 2025, the Akira ransomware group has been actively exploiting vulnerabilities and misconfigurations in SonicWall SSL VPN devices. The attacks leverage a known flaw (CVE-2024-40766) and misconfigured LDAP settings to bypass access controls and facilitate ransomware deployment. The threat actors use a combination of brute-forcing credentials, exploiting default configurations, and leveraging the Virtual Office Portal to configure multi-factor authentication (MFA) with valid accounts. The Australian Cyber Security Centre (ACSC) has issued an alert about increased Akira ransomware activity targeting SonicWall SSL VPNs. Rapid7 reported a resurgence of attacks, likely due to incomplete remediation. SonicWall has confirmed that recent SSLVPN activity is related to CVE-2024-40766 and not a zero-day vulnerability. The affected firewall versions include specific models of Gen 5, Gen 6, and Gen 7 devices. Organizations are advised to update to firmware version 7.3.0 or later, rotate passwords, enforce MFA, mitigate the SSLVPN Default Groups risk, and restrict Virtual Office Portal access to trusted/internal networks.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Senator Wyden calls for FTC probe into Microsoft's role in ransomware attacks on U.S. critical infrastructure

U.S. Senator Ron Wyden has urged the Federal Trade Commission (FTC) to investigate Microsoft for alleged cybersecurity negligence that facilitated ransomware attacks on U.S. critical infrastructure, including healthcare networks. Wyden's call follows a ransomware attack on Ascension, a healthcare system, which resulted in the theft of personal and medical information of nearly 5.6 million individuals. The attack, attributed to the Black Basta ransomware group, exploited insecure default settings in Microsoft software and the RC4 encryption algorithm. The breach occurred when a contractor clicked on a malicious link in Microsoft's Bing search engine, leading to malware infection and subsequent elevated access to Ascension's network. Wyden's office highlighted Microsoft's continued support for RC4, an outdated and insecure encryption technology, as a significant vulnerability. Microsoft has acknowledged the issues and plans to deprecate RC4 support in future updates to Windows 11 and Windows Server 2025. The company also outlined mitigations to protect against Kerberoasting attacks, which target the Kerberos authentication protocol. Wyden's office urged Microsoft to warn customers about the dangers of using RC4 instead of AES 128/256, and Microsoft responded with a technical blog post in October 2024, which was criticized for not clearly conveying the warning to decision-makers. Microsoft is actively working to gradually remove RC4 and is providing advice for using the algorithm in the safest ways possible.

Open in new tab

Active exploitation of SAP S/4HANA command injection vulnerability CVE-2025-42957

A critical command injection vulnerability in SAP S/4HANA, tracked as CVE-2025-42957, is being actively exploited in the wild. The flaw allows attackers with low-privileged user access to execute arbitrary ABAP code, potentially leading to full system compromise. The vulnerability affects both on-premise and private cloud editions of SAP S/4HANA. The exploit can result in unauthorized modification of the SAP database, creation of superuser accounts, and theft of password hashes. Organizations are advised to apply patches immediately and monitor for suspicious activity. The vulnerability was fixed by the vendor on August 11, 2025, but several systems have not applied the available security updates, and these are now being targeted by hackers who have weaponized the bug. SecurityBridge discovered the vulnerability and reported it to SAP on June 27, 2025, and even assisted in the development of a patch. SecurityBridge and Pathlock have confirmed active exploitation of the vulnerability. The patch for CVE-2025-42957 is relatively easy to reverse engineer, and successful exploitation gives attackers access to the operating system and all data in the targeted SAP system. Organizations are urged to implement additional security measures, such as SAP's Unified Connectivity framework (UCON), to restrict RFC usage and monitor logs for suspicious activity.

Open in new tab

Active exploitation of TP-Link TL-WA855RE Wi-Fi range extender vulnerability

The US Cybersecurity and Infrastructure Security Agency (CISA) has warned of active exploitation of a missing authentication vulnerability in TP-Link TL-WA855RE Wi-Fi range extender products. The flaw, tracked as CVE-2020-24363, allows attackers on the same network to send unauthenticated requests for a factory reset and reboot, potentially gaining administrative access. The vulnerability was disclosed in August 2020 and has been resolved by TP-Link in firmware updates. However, the product is now discontinued, and users are advised to discontinue its use. CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to address it by September 23, 2025. On September 4, 2025, CISA added two additional TP-Link router vulnerabilities, CVE-2023-50224 and CVE-2025-9377, to its KEV catalog, noting evidence of active exploitation. These vulnerabilities affect multiple TP-Link router models, some of which have reached end-of-life status. TP-Link released firmware updates in November 2024 to address these issues, but recommends upgrading to newer hardware for enhanced protection.

Open in new tab

High-Severity Use-After-Free Vulnerability in Chrome's V8 Engine Patched

Google has released Chrome 140 to patch a high-severity use-after-free vulnerability (CVE-2025-9864) in the V8 JavaScript engine. This flaw, reported by the Yandex Security Team, could lead to heap corruption and potential remote code execution (RCE) through crafted HTML pages. The update also addresses three medium-severity bugs in Chromeโ€™s Toolbar, Extensions, and Downloads components. Users are advised to update immediately to mitigate risks. The vulnerability affects multiple platforms, including Windows, macOS, and Linux. Google has not reported any active exploitation in the wild.

Open in new tab

Google Patches Two Zero-Day Vulnerabilities Under Active Exploitation in Android

Google released September 2025 Android security updates addressing 111 vulnerabilities, including two zero-day flaws actively exploited in targeted attacks. The vulnerabilities allow privilege escalation without user interaction. The patches include fixes for remote code execution, information disclosure, and denial-of-service issues across various components. The updates are part of Google's monthly security bulletin, with two patch levels released to provide flexibility for Android partners. The vulnerabilities were discovered by Benoรฎt Sevens of Google's Threat Analysis Group (TAG).

Open in new tab