SonicWall Breach Sparks Surge in SSLVPN Attacks

A new wave of cyberattacks is targeting SonicWall SSLVPN devices across enterprise networks, just weeks after cybersecurity firm Huntress confirmed in a mid-September security advisory that customer firewall backups stored in its cloud were exposed. 

The attacks have so far impacted more than 100 accounts across 16 client environments. According to the company, attackers are logging in with valid credentials rather than using brute-force methods, suggesting they may have obtained insider or stolen data.

“The speed and scale of these attacks imply that the attackers appear to control valid credentials rather than brute-forcing,” Huntress reported in its threat advisory.

When “secure” backups become the weak link

The incident underscores the escalating threat against remote access infrastructure in enterprise settings. 

SonicWall, a provider of firewall and VPN solutions, confirmed in a September 2025 advisory that an unauthorized party accessed encrypted configuration backups for customers using its MySonicWall cloud backup service.

These backups contained sensitive data, like credentials, keys, and configuration details that, if decrypted, could enable targeted exploits.

Coordinated attacks suggest use of stolen credentials

Huntress observed that the coordinated attacks began on Oct. 4, with clustered authentication attempts peaking over the next two days. 

Many login attempts originated from the IP address 202[.]155[.]8[.]73. In several environments, attackers logged in briefly and disconnected without performing additional actions.

However, in more severe cases, they conducted internal network scans and attempted to access local Windows accounts — indicating possible reconnaissance or lateral movement.

The rapid succession of logins across multiple environments and accounts suggests that attackers already possessed valid credentials, potentially linked to data exposed in the SonicWall breach. 

While Huntress has not definitively tied the two incidents together, the timing and methods align suspiciously. The firm has shared indicators of compromise (IOCs) to help defenders identify and respond to similar attacks.

Actionable defense strategies

To reduce exposure and strengthen network defenses, organizations should take immediate steps to secure remote access systems and restore credential integrity. Recommended mitigations include the following actions:

• Restrict WAN management and remote access wherever possible, temporarily disabling HTTP, HTTPS, SSH, SSLVPN, and inbound management interfaces.
• Reset all credentials and keys associated with impacted firewalls. This includes local admin passwords, VPN pre-shared keys, LDAP or RADIUS bind credentials, wireless passphrases, and SNMP strings.
• Revoke and roll over external keys, including API tokens, dynamic DNS configurations, SMTP/FTP accounts, and any automation secrets tied to firewall management systems.
• Enable enhanced logging and retain records for forensic review. Investigate all recent logins and configuration changes for unauthorized activity.
• Re-enable services gradually, closely monitoring for re-entry attempts.
• Enforce multi-factor authentication (MFA) on all administrative and remote access accounts.

Collectively, these actions help organizations minimize risk, reinforce remote access security, and build resilience against evolving threats.

When cloud convenience becomes a security liability

This SonicWall incident exemplifies how cloud-based configuration data can become a single point of failure across thousands of enterprise networks. 

Even when encrypted, centralized storage of sensitive credentials creates exposure risk if that encryption is ever broken or keys are leaked. 

The attacks also highlight a broader industry issue: the persistent reliance on static credentials and single-factor authentication for remote infrastructure management.

As Huntress emphasized, the incident reflects a “credential-driven” attack model increasingly favored by adversaries seeking stealthy, legitimate access instead of noisy brute-force methods. 

For organizations depending on third-party remote access platforms, visibility into authentication patterns and prompt credential rotation are now essential components of security hygiene.

With VPN and firewall systems under persistent attack, organizations can no longer rely on perimeter defenses alone. 

Adopting a zero trust model—one that enforces continuous verification at every access point—is now essential for true cyber resilience.