By Sead Fadilpašić

Copyright techradar

Skip to main content

Tech Radar Pro

Tech Radar Gaming

Close main menu

the business technology experts

België (Nederlands)

Deutschland

North America

US (English)

Australasia

New Zealand

View Profile

Search TechRadar

Expert Insights

Website builders

Web hosting

Best web hosting
Best office chairs
Best website builder
Best antivirus
Expert Insights

Don’t miss these

This long-exposed SonicWall flaw is being used to infect organizations with Akira ransomware – so patch now

This devious ransomware is able to hijack your system to turn off antivirus

Hacker using backdoor to exploit SonicWall Secure Mobile Access to steal credentials

SonicWall customers told to reset credentials following firewall data breach

Fortinet VPNs under attack from potential zero-day – FortiSIEM security tools also at risk, so be on your guard

WatchGuard warns users Firebox firewalls may have a critical issue – here’s what we know

Experts warn a maximum severity GoAnywhere MFT flaw is now being exploited as a zero day

I am a cybersecurity expert – here’s why it’s time for businesses to bolster defenses, beyond just tech

CitrixBleed 2 exploits are now in the wild, so patch now

CISA warns hackers are actively exploiting critical CitrixBleed 2

CISA flags some more serious Ivanti software flaws, so patch now

Windows Entra IDs can be bypassed worryingly easily – here’s what we know

Worrying TP-Link router flaws could let botnets attack your Microsoft 365 accounts – so update now

Hackers can bypass FIDO MFA keys, putting your accounts at risk – here’s what we know

FBI, CISA warn of more Scattered Spider attacks to come

SonicWall VPN accounts breached by Akira ransomware -and even those using MFA are at risk

Sead Fadilpašić

29 September 2025

How can fully patched, 2FA-protected accounts still be breached?

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: Shutterstock)

Akira ransomware exploits CVE-2024-40766 to access SonicWall VPNs despite patches and MFA
Researchers suspect OTP seeds were stolen, enabling bypass of one-time password protections
Google links attacks to UNC6148 targeting patched, end-of-life SonicWall SMA 100 appliances

Akira ransomware operators are still finding ways to infiltrate SonicWall SSL VPN devices, despite known vulnerabilities being patched, and victims having multi-factor authentication (MFA) enabled on all accounts.

Multiple security researchers have confirmed the attacks taking place – but they have different (but somewhat similar) theories on what is actually happening.
In late July 2025, security researchers Arctic Wolf Labs reported an uptick in malicious logins coming through SonicWall SSL VPN instances. At the time, the researchers speculated that the endpoints may have been carrying a zero-day vulnerability, but it was later confirmed that Akira’s criminals were actually exploiting CVE-2024-40766, an improper access control flaw discovered, and patched, in September 2024.

You may like

This long-exposed SonicWall flaw is being used to infect organizations with Akira ransomware – so patch now

This devious ransomware is able to hijack your system to turn off antivirus

Hacker using backdoor to exploit SonicWall Secure Mobile Access to steal credentials

Nabbing tokens via zero-day?
Besides patching, SonicWall also urged its customers to reset all SSL VPN credentials, but it seems these measures were not enough to keep Akira at bay.

Now, Arctic Wolf says it’s seeing successful logins even with 2FA-protected accounts. In a report published earlier this week, the researchers said multiple one-time password (OTP) challenges were issued for account login attempts before successful logins, indicating that the attackers most likely compromised OTP seeds, or found another way to generate the tokens.
“From this perspective, credentials would have potentially been harvested from devices vulnerable to CVE-2024-40766 and later used by threat actors—even if those same devices were patched. Threat actors in the present campaign successfully authenticated against accounts with the one-time password (OTP) MFA feature enabled.”
At the same time, Google reported that stolen OTP seeds were the most likely culprit, but that they were nabbed through a zero-day.

Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
“Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances,” Google said in its report. “GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates.”
Via BleepingComputer
You might also like

SonicWall VPNs are being targeted by a new zero-day in ransomware attacks
Take a look at our guide to the best authenticator app
We’ve rounded up the best password managers

Sead Fadilpašić

Social Links Navigation

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

This long-exposed SonicWall flaw is being used to infect organizations with Akira ransomware – so patch now

This devious ransomware is able to hijack your system to turn off antivirus

Hacker using backdoor to exploit SonicWall Secure Mobile Access to steal credentials

SonicWall customers told to reset credentials following firewall data breach

Fortinet VPNs under attack from potential zero-day – FortiSIEM security tools also at risk, so be on your guard

WatchGuard warns users Firebox firewalls may have a critical issue – here’s what we know

Latest in Security

Experts warn a maximum severity GoAnywhere MFT flaw is now being exploited as a zero day

Companies are facing more cyberattacks than ever before – and many just can’t cope

Volvo says staff data was stolen following recent ransomware attack on IT supplier

Harrods cyberattack – over 430,000 customers have data stolen, here’s how to stay safe

LockBit malware is back – and nastier than ever, experts claim

Look out – these fake Microsoft Teams installers are just spreading dangerous malware

Latest in News

Google Home app gets surprise early AI upgrade for a lucky few, and I’m jealous

What is the release date for 9-1-1 season 9 episode 1 on Hulu and other streaming services?

ChatGPT is getting parental controls starting today – here’s what they do and how to set them up

YouTube Premium gets 5 handy new features, including faster playback and higher-quality audio

SonicWall VPN accounts breached by Akira ransomware -and even those using MFA are at risk

Microsoft Edge gets a major security upgrade which should ease concerns for many users

LATEST ARTICLES

Verizon’s incredible iPhone 17 deal is ending soon: get up to four devices for free without trading in

MSI Stealth A16 AI+ review: thin, light, and hot

Experts warn a maximum severity GoAnywhere MFT flaw is now being exploited as a zero day

Microsoft Edge gets a major security upgrade which should ease concerns for many users

The Samsung Galaxy S26 Ultra’s S Pen could get a curvy redesign

TechRadar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.

Contact Future’s experts

Terms and conditions

Privacy policy

Cookies policy

Advertise with us

Web notifications

Accessibility Statement

Future US, Inc. Full 7th Floor, 130 West 42nd Street,

Please login or signup to comment

Please wait…