Akira's favorite front door is a SonicWall SSL-VPN, and it's fast
Three SonicWall bugs, CVE-2024-40766, CVE-2024-53704, and CVE-2025-23006, feed the same outcome: Akira ransomware through the SSL-VPN. In one campaign, the time from SonicWall access to encrypted files was 55 minutes. Several of these bugs walk past MFA.
Akira ransomware has made SonicWall SSL-VPN one of its preferred entry points, and the defining feature is speed. Arctic Wolf documented a campaign where intrusions traced to SonicWall SSL-VPN were followed by ransomware in as little as 55 minutes, with the attackers bypassing multi-factor authentication along the way. Three SonicWall vulnerabilities feed this pattern: CVE-2024-40766, CVE-2024-53704, and CVE-2025-23006. If you run SonicWall firewalls or SMA appliances with SSL-VPN exposed, you’re operating gear that a fast, MFA-aware ransomware crew actively hunts.
The three bugs
- CVE-2024-40766 (SonicOS improper access control). Disclosed August 2024, affecting the management interface and SSL-VPN. Akira affiliates used it for initial access, and critically, in some cases against devices that were patched, because the underlying SSL-VPN credentials carried over and remained valid after the upgrade unless they were reset. Patching alone wasn’t enough.
- CVE-2024-53704 (SSLVPN authentication bypass). A flaw in the SonicOS SSL-VPN authentication mechanism, exploitable in the default configuration with no knowledge of any username or password, and it bypasses MFA. SonicWall patched it on January 7, 2025; weeks later, thousands of firewalls were still exposed.
- CVE-2025-23006 (SMA1000 deserialization). A critical pre-authentication flaw in the Secure Mobile Access 1000 series appliances, which SonicWall warned was being exploited.
CISA lists these with the ransomware flag. Two themes run through them: several defeat MFA (because an authentication bypass doesn’t care that a second factor exists, it skips authentication entirely), and one shows that patching without resetting credentials leaves the door open.
What this pattern teaches
- Auth bypasses make MFA irrelevant. MFA protects the login. A bypass doesn’t log in; it walks around the mechanism, so the second factor never comes into play. That’s why “we have MFA on the VPN” didn’t save the Akira victims here. MFA is essential and it is not a substitute for patching the authentication code itself.
- Patching is step one; resetting credentials is step two. CVE-2024-40766 is the cautionary case: organizations upgraded and were still compromised because the credentials the attacker could leverage stayed valid. For SonicWall’s own guidance, after patching you must reset SSL-VPN and local account passwords. This is the same lesson as CitrixBleed: the patch closes the hole, not the access already established.
- Speed means you don’t get a second chance. Fifty-five minutes from access to encryption leaves no time for a leisurely incident response. The defense has to be preventive, patched and hardened before the attacker arrives, because detection-and-response inside an hour is a tall order.
What to do
- Patch SonicOS and SMA appliances to current firmware for all three CVEs and beyond. Treat SonicWall updates as emergency-grade given the active Akira targeting.
- After patching CVE-2024-40766, reset credentials. Reset SSL-VPN user passwords and local account passwords; do not assume the upgrade invalidated what the attacker could use. This step is the difference between “patched” and “secure” here.
- Restrict and harden SSL-VPN. Limit SSL-VPN access to known source IPs where feasible, ensure MFA is enforced (it still raises the bar against credential attacks even if it doesn’t stop a bypass), and disable SSL-VPN if it isn’t needed.
- Get management interfaces off the internet. The SonicOS management plane should never be publicly reachable.
- Assume compromise and hunt if you were exposed. Given Akira’s speed and the MFA-bypass nature, an internet-facing SonicWall that lagged on patches should be investigated for unauthorized VPN sessions, new accounts, and the early stages of ransomware staging. Keep offline, immutable backups so a sub-hour encryption event doesn’t take your recovery with it.
The reframe is to treat SonicWall SSL-VPN as a known, actively-hunted ransomware entry point and defend it preventively. The Akira campaign shows the realistic timeline, under an hour, the realistic bypass of MFA, and the realistic trap of patching without resetting credentials. Patch fast, reset what the bug exposed, restrict the VPN, and keep backups an attacker can’t reach. We track the SonicWall entries as one ongoing pattern, because to Akira, they’re a single reliable door.
Sources
- CISA Known Exploited Vulnerabilities Catalog
- Arctic Wolf: Akira ransomware campaign targeting SonicWall SSLVPN accounts — 2024
- NVD CVE-2024-53704 — 2025-01
- Help Net Security: 5,000+ SonicWall firewalls still open to attack (CVE-2024-53704) — 2025-01-27
- BleepingComputer: Akira ransomware exploiting critical SonicWall SSLVPN bug again — 2025
Share
Related field notes
-
2021 was open season on SonicWall's appliances, remote access and email alike
In 2021, SonicWall's SMA/SRA remote-access appliances and its Email Security product were both hit by zero-day exploitation, by ransomware crews and APTs. Seven of those CVEs are in the catalog, several used before patches existed.
-
A 2020 bug leaked VPN passwords. The orgs that survived had MFA.
CVE-2020-3259 lets an unauthenticated attacker read Cisco ASA memory, sometimes including VPN credentials in cleartext. Akira ransomware used it for initial access years after the patch. The control that turned a leaked password into a non-event was multi-factor authentication.
-
The unlocked side door on your Cisco VPN was the default group nobody configured
CVE-2023-20269 let attackers brute-force Cisco ASA VPN credentials and establish unauthorized sessions, both by abusing default connection profiles that ship enabled. Akira and LockBit used it for initial access. The fix is patching plus hardening the defaults you never touched.
One email, every weekday morning.
You're in. Check your inbox.