Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

SonicWall SSL VPN exploitation wave (Akira-linked)

Exploitation Wave
First reported
Last updated
Happening score
H score 59
4 unique sources, 5 articles

Summary

Hide ▲

An Akira ransomware-linked exploitation wave is driving a widespread compromise of SonicWall SSL VPN devices for initial access, with attacks using CVE-2024-40766 and, in some cases, rapidly moving from login activity to network scanning and attempts to access Windows accounts. Huntress said the latest activity began on October 4, 2025 and impacted more than 100 accounts across 16 customer environments, with authentications in its cases originating from 202.155.8[.]73. SonicWall also disclosed unauthorized exposure of firewall configuration backup files in MySonicWall accounts, but Huntress said there is no evidence yet linking that incident to the spike in compromises.

Cases

Akira exploitation of SonicWall SSL VPN flaw CVE-2024-40766 (4) Akira exploitation of SonicWall SSL VPN flaw CVE-2024-40766 (4)

Related Happenings

Cisco ASA/FTD code execution and authentication bypass flaws (multiple vulnerabilities)

Vulnerability
First: 24.04.2026 20:06 Last: 24.04.2026 20:06 Sources 1

About this happening: **Cisco ASA/FTD** vulnerabilities **CVE-2025-20333** and **CVE-2025-20362** are still under **active exploitation** and can be chained for **unauthenticated remote control** of af...

Open Happening

Sharp rise in brute-force attempts against SonicWall and Fortinet edge devices

Target Trend
First: 15.04.2026 12:30 Last: 15.04.2026 12:30 Sources 1

About this happening: A **sharp rise** in brute-force attempts against **SonicWall** and **Fortinet** edge devices is increasing risk of perimeter-device compromise across organizations that rely on VP...

Open Happening

Forest Blizzard DNS hijacking token-theft campaign against older routers

Campaign
First: 07.04.2026 20:02 Last: 07.04.2026 20:02 Sources 1

About this happening: Russia-backed **Forest Blizzard** is running a **DNS hijacking campaign** against older routers to steal **Microsoft Office** authentication tokens, putting accounts at risk acros...

Open Happening

APT28 FrostArmada DNS hijacking and AitM credential theft campaign

Campaign
First: 07.04.2026 18:51 Last: 07.04.2026 18:51 Sources 1

About this happening: A multinational disruption effort has taken down **FrostArmada**, an **APT28** campaign that hijacked router DNS settings to steal **Microsoft account credentials** and OAuth toke...

Open Happening

Akira group rapid double-extortion ransomware activity

Malware Activity
First: 02.04.2026 16:00 Last: 02.04.2026 16:00 Sources 1

About this happening: **Akira** ransomware activity now includes **AdaptixC2** abuse in active intrusions, alongside the group’s **under-one-hour** to **under-four-hours** attack cadence. A **Silent Pu...

Open Happening

Timeline

  1. 11.10.2025 16:30 2 articles · 7mo ago

    SonicWall SSL VPN compromise impacts over 100 accounts

    Campaign Scope Update

    Starting October 4, 2025, Huntress observed widespread compromise of SonicWall SSL VPN devices across multiple customer environments, with more than 100 SonicWall SSL VPN accounts across 16 customer accounts impacted; in the cases investigated, authentications originated from 202.155.8[.]73, and some compromised devices showed network scanning and attempts to access local Windows accounts.

    Show sources
    Open in new tab
  2. 11.09.2025 13:33 4 articles · 8mo ago

    SonicWall SSL VPN exploitation wave (Akira-linked)

    Initial Disclosure

    The wave first centered on **SonicWall SSL VPN** access and quickly showed signs of repeated use across multiple intrusions. Early reporting tied the activity to **Akira ransomware** resurgence beginning in **late July 2025**.

    Show sources
    Open in new tab