Skip to main content
close search
site logo

SonicWall SSLVPN devices compromised using valid credentials

More than 100 SonicWall SSLVPN accounts have been impacted, according to Huntress.

Published Oct. 14, 2025
David Jones's headshot
Reporter
cybersecurity, matrix, abstract
Getty Images

Researchers are warning of widespread compromises of SonicWall SSLVPN devices, as hackers launched attacks apparently armed with real credentials rather than using brute-force techniques, according to a Friday blog post from Huntress.

“They appear to have valid credentials,” Jamie Levy, director of adversary tactics at Huntress, told Cybersecurity Dive. “The speed at which they are directly logging into multiple accounts without any brute forcing attempts prior shows that they have either valid credentials or that they have figured out another way to log in.”

The wave of attacks began Oct. 4, and coincided with a separate update from SonicWall regarding widespread compromises of the company’s MySonicWall cloud backup service.

More than 100 SonicWall SSLVPN accounts have been compromised across 16 customer environments in the attacks flagged by Huntress. It remains unclear what if any connections there are between the SSLVN attacks and the MySonicWall compromises.

In certain cases, the hackers quickly disconnected from the respective networks, while in other cases, the attackers engaged in scanning and tried to access local Windows accounts, according to researchers. 

The attacks bear some resemblance to ones reported in August. Researchers had been investigating a series of attacks targeting Gen 7 firewalls that were linked to Akira ransomware. 

Researchers also raised concerns about a potential zero-day vulnerability being used, but SonicWall investigated the claims and said the attacks involved a previously disclosed improper access control vulnerability.

SonicWall said many of the August attacks took place due to customers using outdated local passwords after upgrading to the next-generation firewalls. SonicWall at the time urged customers to rotate their local and LDAP account credentials. 

Despite those assurances by SonicWall, researchers expressed concerns about how the new series of attacks appeared to be taking place simultaneously. 

Huntress researchers have informed SonicWall of their findings, but had not yet heard a response as of Monday. A spokesperson for SonicWall did not return requests for comment from Cybersecurity Dive

Filed Under: Cyberattacks, Threats

Editors' picks

Company Announcements

View all | Post a press release
Echelon Risk + Cyber Launches Dedicated Managed Security Services Provider Practice to Deliver…
From Echelon Risk + Cyber
October 14, 2025
Echelon Risk + Cyber logo
CyberFOX and MSP Process Announce Strategic Partnership to Deliver End-User and Technician Ver…
From CyberFOX
September 24, 2025
CyberFOX logo
360 Privacy Launches 360 Strata, Transforming Digital Exposure into Dimensional Intelligence
From 360 Privacy
October 06, 2025
360 Privacy logo
Genians to Attend TechMixer XIII: Elevating Network Security and Zero Trust Objectives
From Genians
October 06, 2025
Genians logo
Editors' picks
Latest in Cyberattacks
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.