SonicWall SSL VPNs Under Mass Attack in 2026: Akira, 4,000+ IPs, and What to Do

SonicWall firewalls are one of the most heavily targeted edge devices on the internet right now. In a single late-February 2026 window, threat actors generated more than 84,000 scanning sessions against SonicOS infrastructure from over 4,300 distinct IP addresses, a coordinated sweep looking for vulnerable and misconfigured appliances. Behind much of the noise sits the Akira ransomware group, which has used SonicWall SSL VPN access to compromise hundreds of organizations. If you run a SonicWall, this is a problem you need to act on, not monitor.

Key takeaways

• Attackers scanned SonicOS devices from 4,300+ unique IPs in a short February 2026 burst, probing for known flaws and weak SSL VPN configurations.
• Akira ransomware has compromised at least 250 organizations through SonicWall VPN access since March 2023, with estimated proceeds around $244 million.
• Multiple SonicWall CVEs sit in CISA's Known Exploited Vulnerabilities catalog, several with documented ransomware use, including credential-theft and authentication-bypass flaws.
• More than 430,000 SonicWall firewalls are reachable from the public internet; tens of thousands run unpatched or end-of-life firmware.
• Stolen credentials and one-time-passcode seeds let attackers log in even where MFA was enabled, so patching plus credential rotation plus MFA reset is the combination that actually helps.

Why SonicWall keeps getting hit

Edge VPN appliances are attractive because they are exposed to the internet by design, they hold credentials, and a single compromise often grants a foothold inside the corporate network. Two flaws have driven much of the SonicWall activity:

• CVE-2024-40766 was abused to steal usernames, passwords, and one-time-passcode seeds directly from SonicWall SSL VPN appliances. With the OTP seed in hand, attackers could generate valid MFA codes, defeating MFA on the affected accounts.
• CVE-2024-53704 is an authentication bypass in SonicOS that was weaponized quickly once public exploit code appeared, letting attackers reach sensitive VPN functions without proper authentication.

Five of the seven SonicWall CVEs relevant to the current attack surface appear in CISA's KEV catalog, and four carry documented ransomware association. SonicWall has also patched additional SonicOS flaws across Gen 6, 7, and 8 firewalls in 2026 that should be applied without delay.

Here is how the two headline flaws differ, and why each one needs a different cleanup step:

CVE	What it does	In KEV	Why patching alone is not enough
CVE-2024-40766	Steals usernames, passwords, OTP seeds	Yes	Stolen seeds let attackers forge valid MFA codes; you must re-seed MFA
CVE-2024-53704	Authentication bypass in SonicOS	Yes	Attackers may already hold sessions; rotate credentials and hunt logs

The pattern across both: the firmware fix stops new exploitation, but anything an attacker harvested before you patched (credentials, OTP seeds, sessions) keeps working until you rotate and re-seed.

The Akira connection

Akira's playbook leans heavily on edge devices and backup destruction. The group has reached at least 250 organizations through SonicWall VPN access and is known to wipe backups to block recovery before deploying encryption. The FBI and CISA list Akira among the most active ransomware variants targeting US businesses. Because Akira often arrives through stolen-but-valid VPN credentials, simply patching the firmware is not enough, you also have to assume the credentials and OTP seeds harvested earlier are still in attacker hands.

What to do now

1. Patch immediately. Update to the current SonicOS firmware for your generation. If your device is end-of-life and no longer receiving updates, replace it, roughly 20,000 internet-facing SonicWalls are running unsupported firmware.
2. Reset all SSL VPN credentials. Force a password reset for every VPN user, not just admins, because CVE-2024-40766 exposed user credentials wholesale.
3. Re-seed MFA. Re-enroll one-time-passcode secrets so any OTP seeds stolen earlier become useless. Prefer phishing-resistant methods where possible, see our guide to phishing-resistant MFA and security keys.
4. Restrict VPN exposure. Limit SSL VPN access to known IP ranges or behind geo and rate controls, and disable any management interface that does not need to face the internet.
5. Harden backups against wipe-out. Akira targets backups specifically; follow the immutable, offline-copy approach in our 3-2-1-1-0 backup guide.

Hunt for signs you were already in

Patching closes the door; it does not tell you whether someone is already inside. Review SonicWall logs and your VPN authentication records for:

• Successful VPN logins from unfamiliar geographies or hosting-provider IP ranges.
• A burst of failed authentications followed by a success (credential validation).
• New or modified VPN user accounts and policy changes you cannot attribute to an admin.
• Lateral-movement indicators such as RDP from the VPN subnet to domain controllers or backup servers.

If you find evidence of access, work the incident assuming ransomware staging, Akira typically dwells before encrypting.

The full remediation order, prioritized

When you are staring at a fleet of appliances and a limited maintenance window, sequence matters. Do the highest-leverage steps first:

Priority	Action	Why it comes first
1	Patch or replace EOL firmware	Closes the actively exploited flaw
2	Reset all SSL VPN credentials	CVE-2024-40766 leaked them wholesale
3	Re-seed MFA / OTP secrets	Stolen seeds defeat existing MFA
4	Restrict VPN to known IPs	Shrinks the attack surface immediately
5	Harden and isolate backups	Akira wipes backups before encrypting
6	Hunt logs for prior access	Patching does not evict an intruder

The trap people fall into is stopping after step 1. Patching a SonicWall that already leaked its credentials and OTP seeds just means the attacker logs in through the front door with valid details instead of exploiting the bug. Steps 2 and 3 are what actually lock them out.

Frequently asked questions

I have MFA on my VPN. Am I safe?

Not necessarily. CVE-2024-40766 allowed theft of OTP seeds, which let attackers generate valid MFA codes. Re-seeding MFA after patching is essential to close that gap.

My SonicWall is old and out of support. What now?

Replace it. Unsupported firmware does not receive patches for actively exploited flaws, and tens of thousands of such devices are already on the public internet being scanned daily.

How do I know if my model is affected?

Check SonicWall's PSIRT advisories and CISA's KEV catalog against your exact model and firmware version. Several 2026 SonicOS advisories span Gen 6, 7, and 8 firewalls, so do not assume a newer device is exempt.

Is disabling SSL VPN enough?

Turning off internet-facing SSL VPN removes a major attack path and is a reasonable emergency measure, but you still need to patch the firmware and rotate credentials before re-enabling remote access.

The bottom line

SonicWall SSL VPNs are being scanned by the thousands and breached by ransomware crews who reuse stolen credentials to walk straight past MFA. Patch the firmware now, reset every VPN credential, re-seed MFA, lock down who can reach the VPN at all, and hunt your logs for access that predates the fix. Treat an unpatched, internet-facing SonicWall as a breach waiting to be confirmed.