Cybersecurity company Huntress issued a warning on Friday about a widespread compromise of SonicWall SSL VPN devices that allowed access to multiple customer environments.
According to Huntress, threat actors have been rapidly authenticating into multiple accounts through compromised devices. The speed and scale of these attacks suggest that the attackers may have valid credentials rather than using brute force.
The activity began on October 4, 2025, impacting more than 100 SonicWall SSL VPN accounts across 16 customer accounts. Huntress investigations revealed that authentications from the compromised SonicWall devices originated from the IP address 202.155.8[.]73.
While some threat actors disconnected after a short period without further action, others engaged in network scanning and attempted to access various local Windows accounts.
This revelation comes on the heels of SonicWall’s acknowledgment of a security incident that exposed firewall configuration backup files stored in MySonicWall accounts. The breach affects all customers who have utilized SonicWall’s cloud backup service.
Arctic Wolf emphasized the sensitivity of firewall configuration files, which can provide threat actors with critical information to exploit an organization’s network. It is advised that organizations reset credentials on live firewall devices and implement additional security measures.
Although there is currently no evidence linking the breach to the recent spike in compromises, organizations are urged to remain vigilant and take necessary precautions to secure their networks.
Recent reports indicate a surge in ransomware activity targeting SonicWall firewall devices. Darktrace detected an intrusion involving network scanning, reconnaissance, and data exfiltration, with one compromised device identified as a SonicWall VPN server.
This highlights the importance of maintaining up-to-date patching practices to prevent exploitation of vulnerabilities by threat actors. Ongoing vigilance and security measures are crucial to safeguard networks from cyber threats.
