Cyber Threat Intelligence Report

This week, we briefed our clients on Akira's exploit of SonicWall SSL VPN devices. There's conflicting reports on the cause. Passwords or something new?

 KEY TAKEAWAYS 

• New Akira Ransomware attack wave targeting SonicWall SSL VPNs.

• Critical and high-severity vulnerabilities in Microsoft Exchange Hybrid, Trend Micro Apex One, and WinRAR, plus updates to CISA KEV, patch now!

Akira Exploits SonicWalls in New Wave of Attacks

Last week, it was reported that SonicWall SSL VPN devices were being heavily targeted in a new wave of Akira ransomware attacks. When the attacks were first observed, it was unknown exactly how the devices were being exploited, and it was suspected that a new zero-day exploit may have been leveraged. However, later in the week,  SonicWall issued an advisory stating that these new attacks were not using a zero-day, but were in fact abusing CVE-2024-40766. After reviewing approximately 40 incidents, SonicWall asserts the exploits result from firewalls that were previously migrated from Gen 6 to Gen 7 (as part of the update to fix CVE-2024-40766), but did not rotate local user passwords during the migration. 

What is CVE-2024-40766?

 This vulnerability was initially disclosed on August 22, 2024. The SonicWall advisory states that it is a critical "improper access control flaw" affecting Gen 5, Gen 6, and Gen 7 firewalls. Initially, the advisory stated that the vulnerability only affected the management interface, but it was later disclosed that the vulnerability impacted the SSLVPN feature as well. Throughout the Fall of 2024, Akira and Fog ransomware groups heavily exploited this vulnerability to gain initial access into target environments. As part of the "Recommended Actions" for remediation in the SonicWall advisory, it was recommended that "users of Gen 5 and Gen 6 firewalls with locally managed SSLVPN accounts immediately update their passwords to enhance security and prevent unauthorized access." Organizations that failed to take this remediation step appear to be who were targeted in this latest attack wave. 

The Whole Story?

While SonicWall makes the assertion that these attacks are due to improper mitigations of CVE-2024-40766, there are conflicting reports from other SonicWall users. In the SonicWall subreddit, many administrators dispute SonicWall's findings, stating that accounts that had multi-factor authentication (MFA) that also did not exist prior to Gen 7 updates were compromised. These findings imply that there may still be an additional exploit being leveraged by Akira in these intrusions.

How to Protect Your Organization

Per SonicWall's statement on the recent activity, their recommendations are as follows:

• Update firmware to version 7.3.0 - This new version includes enhanced protections against brute force attacks and has additional MFA controls.
• Reset all local user account passwords for any accounts with SSLVPN access, especially if these accounts were carried over during migration from Gen 6 to Gen 7.
• Continuing with previously recommended best practices:
  • Enable Botnet Protection and Geo-IP Filtering. Instructions for these can be found here and here.
  • Remove unused or inactive user accounts.
  • Enforce MFA and maintain strong password policies.

The mitigation strategies listed above will protect the device if SonicWall's assertion of CVE-2024-40766 abuse is valid. If there are additional exploits, such as a potential zero-day, organizations may wish to take extra precautions, such as the initial recommendations of either temporarily disabling SSLVPN services and/or restricting connectivity to only trusted IP addresses until there is further clarity.

If your organization is not using SonicWalls, but still leverage SSL VPN, this is a good opportunity to review them.

• Ensure any edge device, especially devices used for remote access such as SSL VPN are fully patched.
• Ensure MFA is enabled on all remote access accounts.
• Verify default accounts and passwords have been disabled or had their passwords changed.
• Restrict access to the management interface to only trusted IP addresses.
• If possible, use Geo-IP filtering to restrict access to the device.

Resources:

• https://www.sonicwall.com/support/notices/gen-7-and-newer-sonicwall-firewalls-sslvpn-recent-threat-activity/250804095336430
  

• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015
  

• https://www.sonicwall.com/support/knowledge-base/how-to-configure-botnet-filtering-with-firewall-access-rules/170503936467975
  

• https://www.sonicwall.com/support/knowledge-base/how-can-i-configure-sonicwall-geo-ip-filter-using-firewall-access-rules/170505480197552
  

• https://www.reddit.com/r/sonicwall/comments/1mjin7r/sonicwall_zeroday_update_230pm_86/
  

• https://www.bleepingcomputer.com/news/security/sonicwall-finds-no-sslvpn-zero-day-links-ransomware-attacks-to-2024-flaw/
  

• https://www.bleepingcomputer.com/news/security/critical-sonicwall-sslvpn-bug-exploited-in-ransomware-attacks/
  

• https://arcticwolf.com/resources/blog/arctic-wolf-observes-july-2025-uptick-in-akira-ransomware-activity-targeting-sonicwall-ssl-vpn/

Vulnerability Roundup

Microsoft Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability

Last week, Microsoft disclosed a high-severity privilege escalation vulnerability in Microsoft Exchange Server when used in Hybrid deployments. The vulnerability tracked as CVE-2025-53786, allows for an attacker that first gains administrative access to an on-premises Exchange server can then escalate privileges to that organization's connected cloud environment, all without leaving any log trail. This vulnerability affects Microsoft Exchange Server 2016, 2019, and the Subscription Edition. To mitigate this vulnerability, Microsoft recommends reviewing the recent Exchange Server security changes found here, applying the April 2025 (or newer) hotfix found here, and follow the recommended configuration instructions found here. 

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53786
  
• https://thehackernews.com/2025/08/microsoft-discloses-exchange-server.html
  
• https://www.bleepingcomputer.com/news/security/cisa-orders-fed-agencies-to-patch-new-cve-2025-53786-exchange-flaw/
  
• https://techcommunity.microsoft.com/blog/exchange/exchange-server-security-changes-for-hybrid-deployments/4396833
  
• https://techcommunity.microsoft.com/blog/exchange/released-april-2025-exchange-server-hotfix-updates/4402471
  
• https://learn.microsoft.com/en-in/Exchange/hybrid-deployment/deploy-dedicated-hybrid-app

Critical Vulnerabilities in Trend Micro Apex One Actively Exploited

Trend Micro recently disclosed a pair of critical vulnerabilities in their Apex One Management Console that is being actively exploited in the wild. The vulnerabilities, tracked as CVE-2025-54948 and CVE-2025-54987, are both command injection flaws that could allow a pre-authenticated remote attacker to upload malicious code and execute arbitrary commands. Trend Micro Apex One as a Service and Trend Vision One Endpoint Security have already been mitigated by the vendor. For on-premise implementations of Trend Micro Apex One, a "Fix Tool" has been provided as a temporary solution until a more formal patch is released, which is expected in mid-August. 

• https://success.trendmicro.com/en-US/solution/KA-0020652
• https://thehackernews.com/2025/08/trend-micro-confirms-active.html

WinRar 0-day

 A critical path traversal vulnerability in WinRAR actively exploited as a zero-day was discovered by researchers at ESET. The vulnerability, tracked as CVE-2025-8088, allows threat actors to create malicious archives that extract files to a file path selected by the attacker. In practice, this can allow for a threat actor to extract executables in autorun paths, creating a scenario where the malicious executable will automatically run the next time the user logs in, effectively achieving remote code execution. Affected versions are WinRAR 7.12 and prior. Administrators are urged to update to version 7.13 or higher. As WinRAR does not have an auto-update feature, the updated version should be downloaded from the official WinRAR site. 

• https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=283&cHash=a64b4a8f662d3639dec8d65f47bc93c5
  
• https://www.bleepingcomputer.com/news/security/winrar-zero-day-flaw-exploited-by-romcom-hackers-in-phishing-attacks/
  
• https://www.tenable.com/cve/CVE-2025-8088

CISA KEV Additions

The following vulnerabilities were added to CISA's Known Exploited Vulnerabilities Catalog in the last 2 weeks:

• CVE-2022-40799 - D-Link DNR-322L Download of Code Without Integrity Check Vulnerability
• CVE-2020-25079 - D-Link DCS-2530L and DCS-2670L Command Injection Vulnerability
• CVE-2020-25078 - D-Link DCS-2530L and DCS-2670L Devices Unspecified Vulnerability
• CVE-2025-20281 - Cisco Identity Services Engine Injection Vulnerability
• CVE-2025-20337 - Cisco Identity Services Engine Injection Vulnerability
• CVE-2023-2533 - PaperCut NG/MF Cross-Site Request Forgery (CSRF) Vulnerability

This report is provided FREE to the cybersecurity community.

Visit our Cyber Threat Intelligence Blog for additional reports.

Subscribe to be notified of future Reports:

NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.

DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.