Cybersecurity firm Huntress on Friday warned of a “widespread compromise” of SonicWall SSL VPN devices used to access multiple customer environments.
“Threat actors are rapidly authenticating multiple accounts across compromised devices,” the report said. “The speed and scale of these attacks suggests that the attackers appear to have control over valid credentials rather than brute force attacks.”
The bulk of the activity is said to have started on October 4, 2025, and affected more than 100 SonicWall SSL VPN accounts across 16 customer accounts. In the case Huntress investigated, the SonicWall device authenticated from IP address 202.155.8(.)73.
The company noted that in some cases, the attackers did not perform any further hostilities within the network and severed the connection after a short period of time. However, in other cases, attackers have been found conducting network scanning activities and attempting to access numerous local Windows accounts.
This disclosure comes shortly after SonicWall admitted that a security incident resulted in the unauthorized disclosure of firewall configuration backup files stored in MySonicWall accounts. According to the latest update, this breach affects all customers who used SonicWall’s cloud backup service.
“Firewall configuration files store sensitive information that can be exploited by threat actors to exploit or gain access to an organization’s network,” said Arctic Wolf. “These files can provide an attacker with sensitive information such as user, group, and domain settings, DNS and logging settings, and certificates.”
However, Huntress noted that at this stage there is no evidence linking this breach to the recent spike in breaches.
Considering that sensitive credentials are stored within firewall configurations, organizations using the MySonicWall cloud configuration backup service are recommended to reset credentials on live firewall devices to avoid unauthorized access.
We also recommend restricting WAN management and remote access when possible, revoking external API keys that touch firewalls and management systems, monitoring logins for signs of suspicious activity, and enforcing multi-factor authentication (MFA) for all administrator and remote accounts.
This disclosure comes amid an increase in ransomware activity targeting SonicWall firewall devices for initial access, with the attack leveraging a known security flaw (CVE-2024-40766) to infiltrate target networks deploying Akira ransomware.
In a report released this week, Darktrace said it detected an intrusion targeting an anonymous U.S. customer in late August 2025 that included network scanning, reconnaissance, lateral movement, privilege escalation using techniques such as UnPAC hashing, and data theft.
“One of the compromised devices was later determined to be a SonicWall virtual private network (VPN) server, suggesting this incident was part of a broader Akira ransomware campaign targeting SonicWall technology,” the report said.
“This campaign by the Akira ransomware attackers highlights the critical importance of maintaining up-to-date patching methods. Threat actors continue to exploit previously disclosed vulnerabilities, not just zero-days, highlighting the need for continued vigilance even after patches are released.”
