Experts Warn of Widespread SonicWall VPN Compromise Impacting Over 100 Accounts

Steven

Experts Warn of Widespread SonicWall VPN Compromise Impacting Over 100 Accounts

Summary

Cybersecurity firm Huntress has reported a widespread compromise of SonicWall SSL VPN devices that allowed threat actors to authenticate into multiple customer accounts rapidly. Activity began around 4 October 2025 and has affected more than 100 SonicWall SSL VPN accounts across 16 customer organisations. Observed logins originated from IP address 202.155.8[.]73. In some cases attackers disconnected quickly; in others they performed network scans and tried to access local Windows accounts.

The disclosure follows SonicWall’s acknowledgement of a separate incident that exposed firewall configuration backup files in MySonicWall cloud accounts. Those configuration files can contain sensitive credentials and settings that could be abused if obtained by attackers. Huntress says there is not yet evidence directly linking that cloud backup exposure to the recent spike in VPN compromises.

Key Points

  • Huntress observed a large-scale compromise impacting over 100 SonicWall SSL VPN accounts across 16 customers, with notable activity from 4 October 2025.
  • Attack patterns suggest threat actors had valid credentials rather than relying on brute-force methods; logins traced to IP 202.155.8[.]73.
  • Some intrusions were brief with no further activity; others involved network scanning and attempts to access multiple local Windows accounts.
  • SonicWall previously confirmed exposure of MySonicWall firewall configuration backups, which can contain credentials, certificates and other sensitive settings.
  • Security vendors (Arctic Wolf, Darktrace) warn this activity aligns with a broader campaign (including Akira ransomware) exploiting known SonicWall flaws such as CVE-2024-40766.
  • Recommended mitigations: reset firewall credentials, restrict WAN/remote management, revoke external API keys touching management systems, enable and enforce MFA, monitor logins and logs, and apply patches promptly.

Context and relevance

This incident sits inside a wider trend of attackers using both exposed configuration data and known VPN/firewall vulnerabilities to gain initial access. Organisations using SonicWall appliances or MySonicWall cloud backups should treat this as high priority: leaked configs plus valid credentials are a potent combination for lateral movement and ransomware deployment. The story is particularly relevant to IT/security teams, managed service providers and any organisation relying on SonicWall SSL VPNs for remote access.

Author note (Punchy)

If you run SonicWall kit or manage VPN access — this is urgent. Patch, reset, and lock down remote management now; the details matter because threat actors are moving fast and using whatever credentials or config data they can get.

Why should I read this?

Short version: if your org uses SonicWall VPNs or stores MySonicWall backups, drop whatever low-priority task you’re doing and check your devices. We’ve read the messy logs so you don’t have to — this summary tells you the risks and the immediate fixes to stop attackers turning a quick login into a full-blown breach.

Source

Source: https://thehackernews.com/2025/10/experts-warn-of-widespread-sonicwall.html