SonicWall, the global leader in network security solutions, is currently tracking potential inbound attacks on its SSL VPN devices. In total, these attacks have breached more than 100 accounts across 16 distinct customer environments. This research follows months of targeting using these methods leveraging known vulnerabilities such as CVE-2024-40766 to deliver Akira ransomware. Even more alarmingly, that October 4, 2025 deadline began to tick down on October 4, 2022. It has alarmed users of SonicWall’s cloud backup service to a high degree.
Those threat actors are now allegedly using security vulnerabilities in SonicWall firewall appliances as their attack vector for initial access. By exploiting these vulnerabilities, attackers can authenticate into multiple accounts swiftly, indicating the use of valid credentials rather than brute-force methods.
Attack Details and Implications
Huntress, a well known cybersecurity firm, raised alarm about the scale and speed of these attacks.
“Threat actors are authenticating into multiple accounts rapidly across compromised devices,” – Huntress
The firm noted that the attacks show a clear pattern of coordination. This indicates that the adversary is focused on acquiring access to legitimate credentials. This tactic prevents them from lifting the blinds on all the accounts they want with terrifying speed and success.
Things went from bad to worse when Darktrace announced an even bigger finding. They discovered that one of the first compromised devices was their SonicWall virtual private network (VPN) server.
“One of the compromised devices was later identified as a SonicWall virtual private network (VPN) server, suggesting that the incident was part of the broader Akira ransomware campaign targeting SonicWall technology,” – Darktrace
These changes underscore the need to adopt strong security measures to protect against risks from identified vulnerabilities.
Security Incident and Customer Impact
SonicWall security incident caused by unauthorized exposure of firewall configuration backup files SonicWall has admitted publicly that a security incident was caused. As one of the worst examples, this breach impacts every single customer that’s used its cloud backup services. The plaintext config files contain a lot of keys and passwords. We’re now at a higher risk of threat actors using this data to get further access to an organization’s network.
“Firewall configuration files store sensitive information that can be leveraged by threat actors to exploit and gain access to an organization’s network,” – Arctic Wolf
As a result, the altered data is a major red flag, not just for SonicWall, but for any business using the security company’s products. The ramifications extend past short-term threats, undermining long-term national security goals.
These investigations are continuing. Going forward, impacted organizations need to be vigilant with their security protocols and ensure they quickly patch any publicly known vulnerabilities. The IP address 202.155.8[.]73 is associated with successful logins on the compromised SonicWALL appliances. The importance of this connection greatly exacerbates the story.
Ongoing Threats and Prevention Strategies
Experts are warning that threat actors are actively still exploiting the vulnerabilities previously disclosed in SonicWall devices. This creates an ongoing exploit opportunity against users who failed to apply the most current patches.
“This campaign by Akira ransomware actors underscores the critical importance of maintaining up-to-date patching practices. Threat actors continue to exploit previously disclosed vulnerabilities, not just zero-days, highlighting the need for ongoing vigilance even after patches are released.” – The Hacker News
Collectively, organizations are called to raise the bar on security measures and implement timely patching to protect against these continuously evolving threats.