Akira Ransomware Exploits SonicWall SMA100 Vulnerabilities: What You Need to Know

A newly surfaced set of vulnerabilities in the SonicWall SMA100 series appliances has captured the attention of cybersecurity professionals. While SonicWall has released patches for CVE-2025-40596 through CVE-2025-40599, and media reports point to a surge in Akira ransomware attacks targeting SonicWall SSL VPN infrastructure, CISA has not formally confirmed exploitation of these specific vulnerabilities by Akira at this time. These vulnerabilities are concerning because they may allow attackers to execute code remotely, leading to complete system compromise.

In late July 2025, security researchers observed an uptick in ransomware targeting activity via ‘pre-intrusions.’ Researchers noted that in multiple incidents, the ‘pre-intrusion’ entry point was traced back to the SSL VPN functionality of SonicWall firewall devices. These incidents suggest the presence of previously undetected vulnerabilities within the systems. Notably, several attacks were observed on fully patched devices, which may indicate the use of zero-day exploits or access gained through compromised credentials.

The vulnerabilities: CVE-2025-40596 to CVE-2025-40599

CVE-2025-40599 – Authenticated Arbitrary File Upload

• Type: Admin-authenticated attackers can upload arbitrary files via the web management interface
• Impact: May result in full remote code execution and persistence on the device
• Bitsight DVE Score: 6.17 / 10
• Exploitation: No confirmed exploitation; SonicWall notes this may be abused if administrative credentials are already compromised. This flaw requires access to administrative privileges

CVE-2025-40596 – Stack-Based Buffer Overflow

• Type: Stack-based buffer overflow in the web interface
• Impact: Remote, unauthenticated attackers can crash the system (Denial of Service) or execute remote code
• Bitsight DVE Score: 5.89 / 10
• Exploitation: Not confirmed in the wild as of this writing

CVE-2025-40597 – Heap-Based Buffer Overflow

• Type: Heap-based buffer overflow vulnerability
• Impact: Like CVE-2025-40596, enables unauthenticated attackers to trigger DoS or potentially execute code remotely
• Bitsight DVE Score: 5.82 / 10
• Exploitation: Not confirmed in the wild as of this writing

CVE-2025-40598 – Reflected Cross-Site Scripting (XSS)

• Type: Reflected XSS via the web UI
• Impact: Allows JavaScript injection, potentially leading to session hijacking or credential theft
• Bitsight DVE Score: 5.82 / 10
• Exploitation: Not confirmed; may be useful for reconnaissance or credential harvesting

Akira ransomware: Threat actor spotlight

Akira ransomware first emerged in March 2023 and has since evolved into a significant cyber threat. Akira operates under a ransomware-as-a-service (RaaS) model and is known for its use of double extortion techniques: exfiltrating sensitive data before encrypting it and pressuring victims with public exposure. Ransom demands have ranged from $200,000 to $4 million, with total earnings exceeding $42 million in 2024. As of early 2025, over 250 organizations have been impacted globally.

Targeted sectors and regions

Akira has primarily targeted small to mid-sized organizations across a variety of industries, including: Manufacturing, Professional, Scientific, and Technical Services, Construction, Transportation and Warehousing, Information Technology, Education, Healthcare, and Financial Services.

Geographically, Akira campaigns have focused on organizations located in North America and Western Europe, particularly in the United States, Canada, Germany, Italy, and the United Kingdom.

Attack vectors and tactics

Akira often gains initial access using compromised credentials for systems protected only by single-factor authentication, such as VPNs or remote desktop services. After access is gained, the group employs publicly available tools to conduct lateral movement, credential harvesting, and network reconnaissance.

Their operations are opportunistic, targeting unpatched systems, reused credentials, and misconfigured infrastructure to establish and maintain access.

Current threat activity

Recent threat intelligence suggests that Akira affiliates may be targeting SonicWall SSL VPN infrastructure, especially in environments lacking multi-factor authentication or timely patching. While Akira’s tactics align with the exploitation of internet-facing vulnerabilities, no public advisories currently confirm exploitation of CVE-2025-40596 through CVE-2025-40599 by Akira.

How these flaws could be exploited

If exploited in combination, these vulnerabilities could form an effective attack chain:

• Initial Access: CVE-2025-40596 and CVE-2025-40597 could allow attackers to bypass authentication and crash or take control of SMA devices remotely.
• Reconnaissance & Escalation: CVE-2025-40598 could be used to inject JavaScript or steal credentials via reflected XSS, aiding lateral movement.
• Persistence & Payload Deployment: If administrative access is obtained, CVE-2025-40599 allows attackers to upload malicious payloads and establish persistent control via remote code execution.

These steps align with Akira’s known playbook: rapid privilege escalation, disabling recovery tools, encrypting infrastructure, and exfiltrating data for ransom leverage.

What you should do immediately

Organizations using SonicWall SMA100 appliances should take immediate action:

Patch immediately

• Apply all firmware updates from SonicWall, including July 2025 hotfixes addressing these CVEs.

Reduce exposure

• Disable public-facing access to SMA100 web interfaces.
• Use network segmentation and IP whitelisting for remote access.

Harden access

• Enable multi-factor authentication (MFA) for all administrative accounts.
• Rotate and audit administrative credentials.

Audit logs

• Review authentication logs, upload directories, and system behavior going back to early July 2025.

Segment & monitor

• Place remote access infrastructure in a dedicated VLAN.
• Deploy Endpoint Detection and Response (EDR) on systems adjacent to SMA deployments.

While there is no formal confirmation from CISA linking Akira ransomware to the exploitation of CVE-2025-40596 through CVE-2025-40599, these vulnerabilities represent serious risk—especially if attackers can obtain or reuse administrative credentials. This situation serves as a timely reminder of the importance of patch management, credential hygiene, and network segmentation in defending against today’s ransomware threats.