Enterprise defenders are grappling with two distinct but concurrent security incidents. In one, a sharp uptick in Akira ransomware activity is exploiting SonicWall remote access infrastructure, potentially via an unpatched zero-day. In the other, the open-source ad-blocking project Pi-hole disclosed a data exposure that leaked donor names and emails through a flawed third-party WordPress plugin.
Akira ransomware campaign intensifies against SonicWall SSL VPNs with possible zero-day and credential abuse
Since mid-July, the Akira ransomware group has increasingly targeted SonicWall firewall environments, especially SSL VPN endpoints, in a fast-moving campaign that moves from access to encryption with little delay. Researchers at Arctic Wolf Labs have tracked multiple intrusions beginning around July 15 where attackers gained entry through compromised SonicWall SSL VPN accounts. The pattern mirrors activity seen since at least October 2024, pointing to a sustained and evolving focus on these devices.
Arctic Wolf warns that while a zero-day vulnerability is highly plausible in facilitating these breaches, credential-based techniques such as brute force, dictionary attacks, and credential stuffing remain possible initial vectors in some cases.
“The initial access methods have not yet been confirmed in this campaign,” the researchers said. “While the existence of a zero-day vulnerability is highly plausible, credential access through brute force, dictionary attacks, and credential stuffing have not yet been definitively ruled out in all cases.”
The attackers were also observed authenticating from virtual private servers (VPS)—a deviation from typical enterprise or consumer broadband traffic—suggesting deliberate infrastructure use to obscure origin and increase reliability of access. Once inside via SSL VPN, Akira operators rapidly proceed to deploy ransomware, encrypting data and adding victims to their leak portal.
Immediate mitigation guidance amid ongoing investigation
Given the elevated risk and the potential for unpatched exploitation, Arctic Wolf recommends:
- Temporarily disabling SonicWall SSL VPN services until more clarity or remediation is available.
- Enabling enhanced logging to monitor authentication and lateral movement.
- Deploying robust endpoint monitoring to detect post-compromise activity.
- Blocking VPN authentication attempts originating from hosting provider IP ranges unless explicitly required.
The investigation into the precise attack chain is ongoing, with Arctic Wolf promising to share additional technical indicators as they become available.
SMA 100 appliances under separate pressure; rootkit activity and patch advisory
Complicating the SonicWall ecosystem risk profile is recent activity involving SMA 100 appliances. One week before the Akira surge reporting, SonicWall issued a warning to customers to patch CVE-2025-40599, a critical vulnerability that could allow remote code execution if an attacker already has administrative privileges. While there’s no public evidence that CVE-2025-40599 itself is currently exploited in the wild, the devices are being actively targeted through compromised credentials to deploy the OVERSTEP rootkit, according to the Google Threat Intelligence Group (GTIG).
SonicWall strongly urged operators of both virtual and physical SMA 100 units to review logs for signs of compromise, check for indicators of compromise (IoCs) from GTIG’s reporting, and contact support immediately if anomalies are detected.
A SonicWall spokesperson did not respond to requests for comment at the time of reporting.
Pi-hole donor data exposed through GiveWP plugin vulnerability, names and emails publicly viewable
Separately, Pi-hole, the widely used network-level ad blocker, disclosed that donor names and email addresses were exposed because of a security flaw in the GiveWP WordPress donation plugin powering its donation form. The issue came to light on July 28 when donors reported receiving suspicious emails at addresses they had used exclusively for contributions.
A post-mortem published by Pi-hole explains that the vulnerability caused donor information to be embedded in the webpage’s source code without any authentication requirement, making it visible to anyone who viewed the HTML directly. The problem stemmed from the plugin inadvertently exposing stored donor metadata.
The breach affected donors who supported Pi-hole’s development; the exact number was not specified by Pi-hole, but the breach notification service Have I Been Pwned added the incident to its database, noting that it impacted nearly 30,000 donors, with 73% of those records already known to its system.
Pi-hole clarified that no financial data (credit card or payment details) was exposed, as those are handled separately by Stripe and PayPal. The core product remains unaffected; installations of Pi-hole itself do not require action.
“We take full responsibility for the software we deploy. We placed our trust in a widely-used plugin, and that trust was broken,” Pi-hole wrote, acknowledging that donor names and email addresses had been publicly visible until the flaw was fixed.
GiveWP issued a patch (version 4.6.1) within hours of the vulnerability being reported, but Pi-hole criticized the response timeline—highlighting a 17.5-hour delay before users were notified and saying the initial handling underplayed the potential impact.
Pi-hole has apologized to affected donors and accepted accountability for the exposure while framing the flaw as unforeseeable in its context.
