Attackers exploit valid logins in SonicWall SSL VPN compromise

Cybersecurity firm Huntress warned of a widespread compromise of SonicWall SSL VPNs, with threat actors using valid credentials to access multiple customer accounts rapidly. “As of October 10, Huntress has observed widespread compromise of SonicWall SSLVPN devices across multiple customer environments. Threat actors are authenticating into multiple accounts rapidly across compromised devices,” reads the report published by Huntress. “The speed and scale of these attacks imply that the attackers appear to control valid credentials rather than brute-forcing.”

SonicWall recently warned that attackers accessed firewall backup files from its cloud service, exposing encrypted credentials and configs. In September, SonicWall urged customers to reset credentials after firewall backup files tied to MySonicWall accounts were exposed. The company announced it had blocked attackers’ access and is working with cybersecurity experts and law enforcement agencies to determine the scope of the breach.

On October 8, SonicWall confirmed that threat actors accessed the preference files of all firewalls using its MySonicWall cloud backup service. SonicWall said the stolen files contain encrypted credentials and configs, which could aid attacks. They are notifying affected users and providing assessment tools. Updated device lists now classify impacted firewalls by priority to guide remediation.

The disclosure coincides with rising ransomware attacks exploiting SonicWall flaw CVE-2024-40766 to deploy Akira ransomware. Darktrace observed an August 2025 intrusion on a U.S. firm involving scanning, lateral movement, privilege escalation, and data exfiltration. “Starting in July 2025, Akira ransomware attacks surged globally, targeting SonicWall SSL VPN devices. In August, Darktrace detected suspicious activity in a US network, including scanning, lateral movement, and data exfiltration,” reported DarkTrace. “A compromised SonicWall VPN server linked the incident to the broader Akira campaign exploiting known vulnerabilities.”

To read the complete article see: Security Affairs.