Cybersecurity company Huntress on Friday warned of a “widespread compromise” of SonicWall SSL VPN devices to access multiple customer environments.
“Dangerous actors are increasingly authenticating multiple accounts on compromised devices,” it said. “The speed and scale of these attacks suggests that the attackers appear to be controlling legitimate credentials rather than brute force.”
A significant portion of the activity is said to have begun on October 4, 2025, with over 100 SonicWall SSL VPN accounts across 16 customer accounts affected. In the cases investigated by Huntress, authentication on SonicWall devices originated from the IP address 202.155.8[.]73.
The company noted that in some cases, the threat actors did not engage in further adverse actions on the network and disconnected after a short period of time. However, in other cases, attackers have been found performing network scanning activity and attempting to access multiple local Windows accounts.
The disclosure comes shortly after SonicWall acknowledged that a security incident resulted in the unauthorized exposure of firewall configuration backup files stored in MySonicWall accounts. As of the latest update, the breach affects all customers who have used SonicWall’s cloud backup service.
“Firewall configuration files store sensitive information that can be used by threat actors to exploit and gain access to an organization’s network,” said Arctic Wolf. “These files can provide threat actors with important information such as user, group and domain settings, DNS and log settings, and certificates.”
However, Huntress said there is no evidence at this stage to link this breach to the recent increase in compromises.
Keeping in mind that sensitive credentials are stored within the firewall configuration, organizations using the MySonicWall cloud configuration backup service are advised to reset their credentials on the live firewall device to avoid unauthorized access.
It is also recommended to restrict WAN management and remote access where possible, revoke any external API keys touching firewalls or management systems, monitor logins for signs of suspicious activity, and enforce multi-factor authentication (MFA) for all administrator and remote accounts.
The disclosure comes amid an increase in ransomware activity targeting SonicWall firewall appliances for early access, with a known security flaw (CVE-2024-40766) being leveraged to break into the target network to deploy Akira ransomware.
Darktrace said in a report published this week that it detected an intrusion targeting an unknown US customer in late August 2025, which involved privilege escalation and data exfiltration using techniques such as network scanning, reconnaissance, lateral movement, unpack the hash, etc.
“One of the compromised devices was later identified as a SonicWall virtual private network (VPN) server, suggesting that this incident was part of a broader Akira ransomware campaign targeting SonicWall technology,” it said.
“This campaign by Akira ransomware actors underscores the critical importance of maintaining updated patching practices. Threat actors continue to exploit previously disclosed vulnerabilities in addition to zero-days, highlighting the need for continued vigilance even after patches are released.”
