Redazione RHC : 5 August 2025 18:46
Last Sunday, Red Hot Cyber published an in-depth analysis of the increased malicious activity of the AKIRA ransomware, which appears to exploit an undocumented 0-day vulnerability in SonicWall devices with SSLVPN enabled. The article highlighted a possible correlation between the increase in attacks and a not-yet-publicly acknowledged weakness in the U.S. company’s Gen 7 firewalls. In response to these reports and other parallel findings, SonicWall has released an official statement.
In the statement, published on August 4, 2025, SonicWall confirms that over the past 72 hours, there has been a significant increase in both internal and external cyber incidents involving Gen 7 firewalls with SSLVPN enabled. The company also cites the contribution of external research teams such as Arctic Wolf, Google Mandiant, and Huntress, which have highlighted the same suspicious activity. This confirms the findings in our article and reinforces the hypothesis that the AKIRA ransomware is using an advanced exploit.
SonicWall states that it is an in-depth investigation to determine whether these attacks are linked to a previously disclosed vulnerability or whether it is a new flaw. At this time, the company does not rule out the possibility of an as-yet-undocumented vulnerability, thus aligning with the concerns expressed by our editorial team in the previous article.
In the meantime, SonicWall has provided a series of recommendations to its customers and partners to mitigate the risk. Specifically, it recommends disabling SSLVPN service where possible, or limiting access to it to trusted source IP addresses only. The company also recommends activating security services such as Botnet Protection and Geo-IP Filtering, as well as enabling multi-factor authentication (MFA) for all remote access, while acknowledging that this may not be sufficient in this specific scenario.
Other recommended security measures include deleting unused local accounts, especially those enabled for SSLVPN access, and promoting proper credential management, with regular password updates. SonicWall emphasizes that these measures are essential to limit the impact of ongoing attacks while the company works towards releasing a possible corrective firmware update.
In conclusion, SonicWall’s official statement confirms the seriousness of the situation and the urgency of adopting restrictive measures while awaiting a patch. The company’s rapid response, even after our publication, demonstrates the crucial importance of continuous threat monitoring and interaction between industry media, threat intelligence teams, and security vendors. Red Hot Cyber will continue to monitor the developments, promptly updating readers on any technical developments or new countermeasures.
Redazione