Warning of SonicWall SSL VPN Device Compromise
A recent alert from cybersecurity firm Huntress has raised concerns about a widespread compromise of SonicWall SSL VPN devices, allowing threat actors to access multiple customer environments. According to the report, the attackers are using valid credentials to authenticate rapidly into multiple accounts, indicating a high level of control over the compromised devices.
The suspicious activity was first detected on October 4, 2025, with over 100 SonicWall SSL VPN accounts across 16 customer accounts being impacted. Investigations by Huntress revealed that the unauthorized authentications originated from the IP address 202.155.8[.]73.
While some of the attackers only briefly accessed the network without further actions, others were found conducting network scanning and attempting to access local Windows accounts.
Unauthorized Exposure of Firewall Configuration Files
Shortly after the SonicWall incident, where firewall configuration backup files were exposed, cybersecurity experts warned that threat actors could leverage this sensitive information to exploit organizations’ networks. The breach affected all customers using SonicWall’s cloud backup service, potentially exposing critical data such as user settings, DNS configurations, and certificates.
Although there is no direct evidence linking this breach to the recent compromises, organizations are advised to reset their credentials on live firewall devices and implement additional security measures.
Ransomware Attacks Targeting SonicWall Firewalls
Recent reports have highlighted a surge in ransomware attacks targeting SonicWall firewall devices, exploiting known vulnerabilities to deploy Akira ransomware. The attacks underscore the importance of maintaining up-to-date patching practices and ongoing vigilance to protect against cyber threats.
Darktrace recently detected an intrusion targeting a U.S. customer, involving network scanning, reconnaissance, and privilege escalation techniques. The incident involved a compromised SonicWall VPN server, indicating a connection to the broader Akira ransomware campaign.
As threat actors continue to exploit vulnerabilities, organizations are urged to prioritize cybersecurity measures and remain vigilant in the face of evolving cyber threats.
