Analysis Summary

A wave of coordinated attacks is targeting SonicWall SSLVPN devices, impacting numerous enterprise networks just weeks after a major breach exposed sensitive firewall configuration backups. Beginning on October 4, 2025, attackers swiftly authenticated into more than 100 accounts across 16 customer environments using stolen valid credentials, not brute-force attempts. This pattern points to a credential-based campaign leveraging insider knowledge or previously compromised data, highlighting the increasing exploitation of remote access solutions in enterprise infrastructures.

The attacks occurred in rapid succession, with clustered login attempts peaking within two days. Initial intrusions showed brief connections from the IP 202.155.8[.]73, while more advanced compromises involved internal network scans and attempts to access local Windows accounts, indicating possible lateral movement and reconnaissance. Security firm Huntress observed that the attackers’ precision suggests access to decrypted or leaked SonicWall credentials, intensifying concerns for organizations relying on SonicWall’s SSLVPN services for secure remote connectivity.

Further investigation connected these incidents to SonicWall’s recent cloud breach, where attackers accessed encrypted configuration backups from its MySonicWall cloud service. Initially believed to affect under 5% of customers, the company later confirmed that all users of the backup feature were impacted. These backups contain critical data credentials, settings, and authentication details that, if decrypted, could directly facilitate these ongoing intrusions. Although Huntress has not confirmed a direct link, the timing and methods align, suggesting the SSLVPN attacks may be a direct fallout of the breach.

To mitigate risks, organizations are urged to immediately reset all exposed credentials and disable remote management services (HTTP, HTTPS, SSH, SSL VPN) until remediation is complete. Critical actions include revoking local admin passwords, VPN pre-shared keys, LDAP/RADIUS credentials, and API tokens, while enabling enhanced logging for forensic review. Once resets are done, services should be re-enabled gradually under strict monitoring. Enforcing multi-factor authentication (MFA), applying least-privilege principles, and maintaining continuous monitoring will be vital in defending against further credential-based intrusions as SonicWall and Huntress continue tracking this evolving threat.

Impact

• Gain Access

Affected Vendors

Remediation

• Reset all credentials immediately, including local admin and user passwords, VPN pre-shared keys, LDAP or RADIUS bind credentials, wireless SSIDs and passphrases, SNMP community strings, external API keys, SMTP/FTP accounts, and dynamic DNS credentials.
• Temporarily disable remote access and management interfaces such as HTTP, HTTPS, SSH, SSL VPN, and WAN management until all credentials are secured.
• Restrict remote and wide-area network management to trusted internal networks only.
• Review firewall logs for suspicious activity, especially login attempts from IP 202.155.8[.]73, unusual admin actions, or network scans.
• Enable enhanced logging and retain records for forensic analysis and incident response.
• Re-enable services gradually after completing all resets and verifying no unauthorized access.
• Enforce multi-factor authentication (MFA) on all administrative, remote, and VPN accounts.
• Apply least-privilege principles to minimize unnecessary access.
• Continuously monitor network activity for abnormal connections or repeated login attempts.
• Follow SonicWall’s latest security advisories and Huntress’s guidance for updated mitigation steps and threat indicators.