Cybersecurity company Huntress on Friday warned of “widespread compromise” of SonicWall SSL VPN devices to access multiple customer environments.
“Threat actors are authenticating into multiple accounts rapidly across compromised devices,” it said. “The speed and scale of these attacks imply that the attackers appear to control valid credentials rather than brute-forcing.”
A significant chunk of the activity is said to have commenced on October 4, 2025, with more than 100 SonicWall SSL VPN accounts across 16 customer accounts having been impacted. In the cases investigated by Huntress, authentications on the SonicWall devices originated from the IP address 202.155.8[.]73.
The company noted that in some instances, the threat actors did not engage in further adversarial actions in the network and disconnected after a short period of time. However, in other cases, the attackers have been found conducting network scanning activity and attempting to access numerous local Windows accounts.
The disclosure comes shortly after SonicWall acknowledged that a security incident resulted in the unauthorized exposure of firewall configuration backup files stored in MySonicWall accounts. The breach, according to the latest update, affects all customers who have used SonicWall’s cloud backup service.
“Firewall configuration files store sensitive information that can be leveraged by threat actors to exploit and gain access to an organization’s network,” Arctic Wolf said. “These files can provide threat actors with critical information such as user, group, and domain settings, DNS and log settings, and certificates.”
Huntress, however, noted that there is no evidence at this stage to link the breach to the recent spike in compromises.
Considering that sensitive credentials are stored within firewall configurations, organizations using the MySonicWall cloud configuration backup service are advised to reset their credentials on live firewall devices to avoid unauthorized access.
It’s also recommended to restrict WAN management and remote access where possible, revoke any external API keys that touch the firewall or management systems, monitor logins for signs of suspicious activity, and enforce multi-factor authentication (MFA) for all admin and remote accounts.
The disclosure comes amid an increase in ransomware activity targeting SonicWall firewall devices for initial access, with the attacks leveraging known security flaws (CVE-2024-40766) to breach target networks for deploying Akira ransomware.
Darktrace, in a report published this week, said it detected an intrusion targeting an unnamed U.S. customer in late August 2025 that involved network scanning, reconnaissance, lateral movement, privilege escalation using techniques like UnPAC the hash, and data exfiltration.
“One of the compromised devices was later identified as a SonicWall virtual private network (VPN) server, suggesting that the incident was part of the broader Akira ransomware campaign targeting SonicWall technology,” it said.
“This campaign by Akira ransomware actors underscores the critical importance of maintaining up-to-date patching practices. Threat actors continue to exploit previously disclosed vulnerabilities, not just zero-days, highlighting the need for ongoing vigilance even after patches are released.”
