Akira ransomware gang attacks Nutanix VMs with multiple vulnerabilities

CISA is warning of active attacks by the Akira ransomware operation targeting Nutanix AHV virtual machine environments.

According to a joint cybersecurity advisory released on November 13, 2025, by the FBI, CISA DC3, HHS and multiple international law enforcement partners from Europe, Akira threat actors have successfully encrypted Nutanix AHV VM disk files for the first time in a June 2025 incident.

Nutanix AHV (Acropolis Hypervisor) is a Linux-based virtualization platform designed to manage virtual machines on Nutanix hyper-converged infrastructure.

The initial access vector involved exploiting unpatched vulnerabilities in network edge devices and backup infrastructure:

• CVE-2024-40766 (CVSS score 9.6): an improper access control vulnerability in SonicWall SonicOS that grants unauthorized attackers access to firewall resources and can lead to firewall crashes.
• CVE-2024-40711 (CVSS score 9.8): an unauthenticated remote code execution vulnerability in Veeam Backup & Replication that allows attackers to achieve full system takeover.
• CVE-2023-27532 (CVSS score 7.5): a vulnerability in Veeam Backup & Replication that allows unauthenticated attackers operating within the backup infrastructure network perimeter to obtain encrypted credentials stored in the configuration database. 

Akira is targeting Nutanix through compromised VPN credentials, brute-force attacks on exposed SSH and VPN endpoints, or exploitation of the SonicWall vulnerability CVE-2024-40766. Akira has successfully exploited numerous Cisco VPN product vulnerabilities, including CVE-2020-3259, CVE-2023-20269, CVE-2020-3580, CVE-2023-28252, and CVE-2024-37085, in addition to targeting SonicWall firewalls.

After the initial compromise, Akira affiliates establish persistence by creating administrative accounts with names such as "dot" or similar innocuous identifiers, which are then added to Local Administrators and Remote Desktop Users groups. The threat actors employ credential harvesting tools including Mimikatz and LaZagne to escalate privileges and obtain additional access credentials. 

To maximize the impact of their attacks and ensure victims cannot easily recover, Akira targets backup infrastructure by exploiting the Veeam vulnerabilities CVE-2023-27532 and CVE-2024-40711. The threat actors delete or encrypt backup data, eliminating one of the primary recovery options for ransomware victims. 

The international law enforcement coalition issuing this advisory strongly urges organizations to implement security measures to defend against Akira ransomware attacks:

• prioritize immediate patching of all known exploited vulnerabilities, especially those affecting VPN products, firewalls, and backup servers.
• enforce phishing-resistant multifactor authentication for all remote access services, not optional MFA that can be bypassed.
• Regular, tested offline backups that are isolated from production networks are essential to enable recovery without paying ransoms.
• Network segmentation should be implemented to limit lateral movement, and organizations should monitor for suspicious activity including unauthorized domain account creation, unusual network traffic patterns, and attempts to access or modify backup systems.