Pierluigi Paganini
October 11, 2025
Cybersecurity firm Huntress warned of a widespread compromise of SonicWall SSL VPNs, with threat actors using valid credentials to access multiple customer accounts rapidly.
“As of October 10, Huntress has observed widespread compromise of SonicWall SSLVPN devices across multiple customer environments. Threat actors are authenticating into multiple accounts rapidly across compromised devices.” reads the report published by Huntress. “The speed and scale of these attacks imply that the attackers appear to control valid credentials rather than brute-forcing.”
Since October 4, over 100 SonicWall SSL VPN accounts across 16 customers were compromised using valid credentials, not brute force. According to Huntress, logins originated from IP 202.155.8[.]73. Some attackers disconnected quickly, while others conducted post-exploitation, scanning networks and probing local Windows accounts.
SonicWall recently warned that attackers accessed firewall backup files from its cloud service, exposing encrypted credentials and configs.
In September, SonicWall urged customers to reset credentials after firewall backup files tied to MySonicWall accounts were exposed. The company announced it had blocked attackers’ access and is working with cybersecurity experts and law enforcement agencies to determine the scope of the breach.
SonicWall initially said that under 5% of customers were impacted, no files leaked, but the breach still poses risks that need urgent action.
The incident impacted SonicWall Firewalls with preference files backed up in MySonicWall.com
SonicWall urged customers to log into their MySonicWall accounts and check if cloud backups are enabled. If not, there’s no risk. If yes, look for any flagged serial numbers, these indicate affected firewalls that need immediate remediation. If you’ve used backups but see no flagged devices, SonicWall will share further guidance soon.
The company told affected customers to import new preference files. However, importing the new file disrupts IPSec VPNs, TOTP bindings, and user access. After import, users must reconfigure VPN pre-shared keys and reset TOTP along with user passwords. To reduce downtime, SonicWall recommends importing during maintenance windows, off-hours, or low-activity periods since the process reboots the firewall immediately.
On October 8, SonicWall confirmed that threat actors accessed the preference files of all firewalls using its MySonicWall cloud backup service.
SonicWall said the stolen files contain encrypted credentials and configs, which could aid attacks. They are notifying affected users and providing assessment tools. Updated device lists now classify impacted firewalls by priority to guide remediation.
The disclosure coincides with rising ransomware attacks exploiting SonicWall flaw CVE-2024-40766 to deploy Akira ransomware. Darktrace observed an August 2025 intrusion on a U.S. firm involving scanning, lateral movement, privilege escalation, and data exfiltration.
“Starting in July 2025, Akira ransomware attacks surged globally, targeting SonicWall SSL VPN devices. In August, Darktrace detected suspicious activity in a US network, including scanning, lateral movement, and data exfiltration.” reported DarkTrace. “A compromised SonicWall VPN server linked the incident to the broader Akira campaign exploiting known vulnerabilities.”
(SecurityAffairs – hacking, ransomware)
