Security teams have sounded alarms after a wave of compromises affecting SonicWall SSL VPN devices and MySonicWall cloud backups. Multiple incident responders report rapid account takeovers across customer environments, with evidence pointing to leaked firewall backup files, credential reuse, and harvested multi-factor authentication (MFA) seeds — a combination that allowed attackers to authenticate into SonicWall appliances at scale.
What happened (TL;DR)
In early October 2025, Huntress and other security vendors observed attackers authenticating into many SonicWall SSL VPN accounts so quickly that investigators concluded valid credentials — not brute force — were being used. Around the same time, SonicWall confirmed an incident in which configuration backup files stored in MySonicWall cloud accounts were accessed by an unauthorized party, potentially exposing sensitive data. Those backup files can contain usernames, hashed passwords, and configuration details that make targeting customer VPN devices much easier.
At least 100+ impacted accounts and multiple customer environments were reported in initial incident summaries, with activity linked to ransomware and follow-on intrusions (notably campaigns by Akira and related groups).
Why this is serious for organizations
Backup file exposure amplifies risk. Firewall backups often store configuration and credential materials used to restore devices — if those files leak, an attacker can map admin accounts and access vectors quickly. SonicWall’s MySonicWall incident confirmed that backup files for customers who used the cloud backup feature were accessed.
MFA can be bypassed if OTP seeds are stolen. Security vendors (including Arctic Wolf and Google’s GTIG) reported indicators that one-time password seeds and other secrets were harvested in prior incidents, enabling attackers to generate valid MFA tokens and bypass protections.
Even patched devices were affected. Early reports suggested some fully patched appliances were still impacted, raising concerns about credential theft and secondary exploitation rather than a single unpatched zero-day. SonicWall has linked a large portion of activity to a previously disclosed vulnerability (CVE-2024-40766) while continuing to investigate other vectors.
Attack patterns & actors
Investigations show a mix of techniques: direct authentication using stolen credentials, account takeover via OTP seed misuse, trojanized VPN clients in earlier campaigns, and exploitation of misconfigurations (for example exposed Virtual Office portals or default LDAP group settings). The Akira ransomware group and multiple financially motivated actors have been observed leveraging these access paths to deploy payloads and move laterally.
Huntress warned that the speed and breadth of account authentications point to large-scale credential reuse or leakage rather than isolated brute-force attempts. Security teams should assume compromised credentials may be in circulation for months unless proactively rotated and validated.
What SonicWall and responders have said
SonicWall published advisories acknowledging the MySonicWall cloud backup file incident, detailing their investigation with Mandiant and providing mitigation steps. The vendor stated they have “high confidence” that some recent SSL VPN activity correlates with previously disclosed issues (e.g., CVE-2024-40766) but also confirmed unauthorized access to cloud-stored backup files for affected customers.
Incident responders (Huntress, Arctic Wolf, Rapid7, and others) urged immediate credential rotation, MFA seed re-issuance where possible, and forensic review of affected appliances and network telemetry. Public reporting indicates some victims experienced follow-on ransomware activity linked to these access events.
Recommended actions (practical checklist)
Rotate all SonicWall admin and VPN credentials and immediately invalidate stored OTP seeds or re-enroll MFA tokens.
Pull and review device and VPN logs for suspicious authentication times, IP addresses, and session behaviors.
Audit MySonicWall backup usage: if you used cloud backups, assume config files may have been exposed and regenerate secrets (certificates, PSKs, service accounts).
Apply all vendor patches for SonicOS and follow SonicWall mitigation guidance; confirm affected CVEs are remediated.
Isolate, investigate, and engage IR: if you detect signs of intrusion, isolate affected devices, preserve logs, and engage incident response partners. Huntress and other vendors published IoCs and detection tips.
Broader implications for VPN security
This incident underscores the layered nature of modern VPN risk: vendor vulnerabilities, cloud backup exposures, credential hygiene failures, and sophisticated threat actors converge to create high-impact compromises. Organizations relying on on-prem VPN appliances should treat cloud backups and admin workflows as part of their attack surface and harden them accordingly.
Learn more than NordVPN Adds Native App for Fire TV 4K Select (Linux-Based)
Conclusion
The SonicWall SSL VPN compromises and the related MySonicWall backup access event are a wake-up call. While vendors and responders continue to investigate, organizations must act now: rotate credentials, reissue MFA seeds, apply patches, and perform thorough forensic reviews. Assuming patience is not a defense, proactive hardening and swift incident response remain the best ways to limit damage from these kinds of supply-chain and credential-based attacks. (Huntress)
Selected sources (verify and read)
Huntress: Widespread SonicWall SSLVPN Compromise. (Huntress)
SonicWall: MySonicWall Cloud Backup File Incident (official advisory). (SonicWall)
The Hacker News: reporting on SonicWall investigations and Akira activity. (The Hacker News)
TechRadar / Rapid7 coverage on exploited SonicWall vulnerability and Akira ransomware. (TechRadar)
