Starting October 4, 2025, attackers began rapidly accessing SonicWall SSL VPN devices using valid credentials, compromising over 100 accounts across 16 organizations. Huntress attributes the breach to credential theft rather than brute-force tactics, with some attackers probing internal networks after access.
In the cases investigated by , authentications on the SonicWall devices originated from the IP address 202.155.8.73.
Following a security breach that exposed firewall configuration backups stored in MySonicWall accounts, SonicWall has confirmed the incident affects all customers using its cloud backup service. While Huntress has not directly linked the breach to recent VPN compromises, experts warn the exposed configs contain sensitive data—including user credentials, network settings, and certificates—that could enable unauthorized access. Organizations are urged to reset credentials, restrict remote access, and monitor for suspicious activity as threat actors increasingly exploit known vulnerabilities to deploy Akira ransomware.
Darktrace has revealed that a late-August 2025 breach of a U.S. organization involved exploitation of a compromised SonicWall VPN server—connecting the incident to the broader Akira ransomware campaign. The attack featured advanced techniques including lateral movement, UnPAC the hash for privilege escalation, and data exfiltration. The incident highlights the ongoing risk from unpatched vulnerabilities, with threat actors increasingly targeting known flaws long after public disclosure.
Geek Gurus