Corporate acquisitions usually focus on growth, talent, or market access. However, new research shows they are also creating serious cybersecurity blind spots.
According to a recent report from ReliaQuest, the Akira ransomware group has repeatedly gained access to organizations through systems inherited during mergers and acquisitions. In every Akira attack the firm analyzed between June and October 2025, the initial entry point came from infrastructure belonging to a previously acquired company.
In many cases, the acquiring organization did not even know these devices still existed on its network.
βIn these cases, the acquiring enterprises were unaware that these devices existed in their new environments, leaving critical vulnerabilities exposed,β
ReliaQuest said.
Table of Contents
Legacy VPN devices are the primary entry point
The research shows that Akira most commonly exploited unpatched SonicWall SSL VPN appliances. These devices were compromised after reports surfaced in mid-July 2025 of a previously unknown vulnerability being actively abused in the wild.
Attackers used the VPN access to authenticate, move laterally across networks, and eventually deploy ransomware payloads.
By late September, multiple security firms confirmed ongoing compromises of SonicWall SSL VPN devices, including systems that were fully patched and configured with multi-factor authentication.
This suggests attackers were either chaining multiple vulnerabilities or exploiting weaknesses not fully mitigated by existing protections.
SonicWall confirms high-severity vulnerability
SonicWall has since acknowledged a serious flaw in its SonicOS SSL VPN service and released a patch.
The vulnerability, tracked as CVE-2025-40601, is a stack-based buffer overflow that allows unauthenticated attackers to crash affected firewalls, potentially opening the door to further exploitation. It carries a severity score of 7.5 out of 10.
The issue affects Gen7 and Gen8 SonicWall firewalls, both physical and virtual models. Older Gen6 devices, as well as SMA 1000 and SMA 100 series VPN products, are not impacted.
SonicWall has urged all customers to apply the patch immediately.
Why acquisitions amplify ransomware risk
Mergers and acquisitions often bring together multiple networks, legacy devices, and undocumented systems. If security audits are incomplete or rushed, attackers can exploit forgotten infrastructure to gain a foothold in a much larger environment.
In the Akira cases analyzed, the ransomware did not spread because of weak defenses in the acquiring company itself, but because inherited systems were left exposed and unmonitored.
What remains unclear is whether Akira deliberately targets companies during acquisition periods or simply compromises vulnerable organizations that later become part of larger enterprises.
Either way, the outcome is the same: a single overlooked device can become a gateway into multiple businesses.
A growing warning for dealmakers
The findings highlight the need for deeper technical due diligence during acquisitions, especially around VPNs, remote access tools, and legacy network hardware.
Without full visibility into inherited assets, organizations risk importing active compromises along with their new investments, giving ransomware groups a direct path into otherwise well-defended environments.
