Massive SonicWall VPN Hack Exposes Global Networks as Attackers Exploit Stolen Credentials and Security Vulnerabilities

Huntress, a cybersecurity organisation, has issued an alert about a "widespread compromise" of SonicWall SSL VPN devices, which are used by businesses around the world for secure remote access. According to Huntress, cyber attackers obtained access to several user environments utilising legitimate login credentials rather than brute-force approaches.This means that hackers may already have stolen usernames and passwords.

The attack reportedly began around October 4, 2025, and has already affected over 100 SonicWall VPN accounts from 16 different customers. They discovered that the suspect logins originated from a certain IP address, 202.155.8[.]73. While some attackers swiftly disconnected after logging in, others ran network scans and attempted to access several Windows accounts on those networks.

This issue comes after a second SonicWall security breach in which firewall configuration backup data were exposed via the company's MySonicWall cloud service. These files contain sensitive information such as user credentials, domain settings, DNS details, and security certificates, all of which can assist attackers gain unauthorised access to a company's systems.Another cybersecurity firm, Arctic Wolf, stated that stolen configuration files might be easily utilised by threat actors to exploit organisations.

To protect themselves from these expanding cybersecurity threats, experts highly advise organisations to take quick preventative steps.They should begin by resetting all credentials for active firewall devices to prevent unauthorised access. It is equally necessary to restrict remote access and revoke any external API keys that connect to firewalls or management systems. Continuous monitoring of login activity can aid in the early detection of suspicious actions, while activating Multi-Factor Authentication (MFA) for all administrative and remote accounts provides an important layer of protection against credential-based attacks.

These attacks come as ransomware gangs, particularly those responsible for the Akira ransomware campaign, are increasingly targeting SonicWall devices. According to Darktrace, hackers used a known vulnerability (CVE-2024-40766) to gain access to U.S. networks, elevate privileges, and steal sensitive information.

Experts believe the SonicWall incidents demonstrate the need of regular patch updates and strict password rules.Cybercriminals continue to exploit both old and newly identified vulnerabilities.To guard against evolving cybersecurity threats, organisations must maintain a proactive approach to patch management, network monitoring, and user awareness training.

The latest SonicWall VPN vulnerability demonstrates how quickly cyber risks can spread once attackers acquire access to genuine credentials. Organisations must take prompt action by resetting passwords, deploying security patches, and improving remote access controls. Regular monitoring and multi-factor authentication are increasingly required, not optional, for protecting company networks. As ransomware operations like Akira expand, only proactive cybersecurity measures can protect against future breaches and data loss.

Information referenced in this article is from The Hacker News