Sonicwall | Breaking Cybersecurity News | The Hacker News

Cybersecurity company Huntress on Friday warned of "widespread compromise" of SonicWall SSL VPN devices to access multiple customer environments. "Threat actors are authenticating into multiple accounts rapidly across compromised devices," it said . "The speed and scale of these attacks imply that the attackers appear to control valid credentials rather than brute-forcing." A significant chunk of the activity is said to have commenced on October 4, 2025, with more than 100 SonicWall SSL VPN accounts across 16 customer accounts having been impacted. In the cases investigated by Huntress, authentications on the SonicWall devices originated from the IP address 202.155.8[.]73. The company noted that in some instances, the threat actors did not engage in further adversarial actions in the network and disconnected after a short period of time. However, in other cases, the attackers have been found conducting network scanning activity and attempting to access...

SonicWall on Wednesday disclosed that an unauthorized party accessed firewall configuration backup files for all customers who have used the cloud backup service. "The files contain encrypted credentials and configuration data; while encryption remains in place, possession of these files could increase the risk of targeted attacks," the company said . It also noted that it's working to notify all partners and customers, adding it has released tools to assist with device assessment and remediation. The company is also urging users to log in and check for their devices. The development comes a couple of weeks after SonicWall urged customers to perform a credential reset after their firewall configuration backup files were exposed in a security breach impacting MySonicWall accounts. The list of impacted devices available on the MySonicWall portal has been assigned a priority level to help customers prioritize remediation efforts. The labels are as follows - Active –...

Welcome to this week's Threatsday Bulletin —your Thursday check-in on the latest twists and turns in cybersecurity and hacking. The digital threat landscape never stands still. One week it's a critical zero-day, the next it's a wave of phishing lures or a state-backed disinformation push. Each headline is a reminder that the rules keep changing and that defenders—whether you're protecting a global enterprise or your own personal data—need to keep moving just as fast. In this edition we unpack fresh exploits, high-profile arrests, and the newest tactics cybercriminals are testing right now. Grab a coffee, take five minutes, and get the key insights that help you stay a step ahead of the next breach. Firmware fights back SonicWall Releases SMA 100 Firmware Update to Remove Rootkit SonicWall has released a firmware update that it said will help customers remove rootkit malware deployed in attacks targeting SMA 100 series devices. "S...

SonicWall is urging customers to reset credentials after their firewall configuration backup files were exposed in a security breach impacting MySonicWall accounts. The company said it recently detected suspicious activity targeting the cloud backup service for firewalls, and that unknown threat actors accessed backup firewall preference files stored in the cloud for less than 5% of its customers. "While credentials within the files were encrypted, the files also included information that could make it easier for attackers to potentially exploit the related firewall," the company said . The network security company said it's not aware of any of these files being leaked online by the threat actors, adding it was not a ransomware event targeting its network. "Rather this was a series of brute-force attacks aimed at gaining access to the preference files stored in backup for potential further use by threat actors," it noted. It's currently not known who is...

Threat actors affiliated with the Akira ransomware group have continued to target SonicWall devices for initial access. Cybersecurity firm Rapid7 said it observed a spike in intrusions involving SonicWall appliances over the past month, particularly following reports about renewed Akira ransomware activity since late July 2025. SonicWall subsequently revealed the SSL VPN activity aimed at its firewalls involved a year-old security flaw ( CVE-2024-40766 , CVSS score: 9.3) where local user passwords were carried over during the migration and not reset. "We are observing increased threat activity from actors attempting to brute-force user credentials," the company noted . "To mitigate risk, customers should enable Botnet Filtering to block known threat actors and ensure Account Lockout policies are enabled." SonicWall has also urged users to review LDAP SSL VPN Default User Groups, describing it as a "critical weak point" if misconfigured in the con...

SonicWall has revealed that the recent spike in activity targeting its Gen 7 and newer firewalls with SSL VPN enabled is related to an older, now-patched bug and password reuse. "We now have high confidence that the recent SSL VPN activity is not connected to a zero-day vulnerability," the company said . "Instead, there is a significant correlation with threat activity related to CVE-2024-40766." CVE-2024-40766 (CVSS score: 9.3) was first disclosed by SonicWall in August 2024, calling it an improper access control issue that could allow malicious actors unauthorized access to the devices. "An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and, in specific conditions, causing the firewall to crash," it noted in an advisory at the time. SonicWall also said it's investigating less than 40 incidents related to this activity, and that many of ...

SonicWall said it's actively investigating reports to determine if there is a new zero-day vulnerability following reports of a spike in Akira ransomware actors in late July 2025. "Over the past 72 hours, there has been a notable increase in both internally and externally reported cyber incidents involving Gen 7 SonicWall firewalls where SSLVPN is enabled," the network security vendor said in a statement Monday. "We are actively investigating these incidents to determine whether they are connected to a previously disclosed vulnerability or if a new vulnerability may be responsible." While SonicWall is digging deeper, organizations using Gen 7 SonicWall firewalls are advised to follow the steps below until further notice - Disable SSL VPN services where practical Limit SSL VPN connectivity to trusted IP addresses Activate services such as Botnet Protection and Geo-IP Filtering Enforce multi-factor authentication Remove inactive or unused local user ac...

SonicWall SSL VPN devices have become the target of Akira ransomware attacks as part of a newfound surge in activity observed in late July 2025. "In the intrusions reviewed, multiple pre-ransomware intrusions were observed within a short period of time, each involving VPN access through SonicWall SSL VPNs," Arctic Wolf Labs researcher Julian Tuin said in a report. The cybersecurity company suggested that the attacks could be exploiting an as-yet-undetermined security flaw in the appliances, meaning a zero-day vulnerability, given that some of the incidents affected fully-patched SonicWall devices. However, the possibility of credential-based attacks for initial access hasn't been ruled out. The uptick in attacks involving SonicWall SSL VPNs was first registered on July 15, 2025, although Arctic Wolf said that it has observed similar malicious VPN logins as far back as October 2024 , suggesting sustained efforts to target the devices. "A short interval was obser...

Sophos and SonicWall have alerted users of critical security flaws in Sophos Firewall and Secure Mobile Access (SMA) 100 Series appliances that could be exploited to achieve remote code execution.  The two vulnerabilities impacting Sophos Firewall are listed below - CVE-2025-6704 (CVSS score: 9.8) - An arbitrary file writing vulnerability in the Secure PDF eXchange (SPX) feature can lead to pre-auth remote code execution, if a specific configuration of SPX is enabled in combination with the firewall running in High Availability (HA) mode CVE-2025-7624 (CVSS score: 9.8) - An SQL injection vulnerability in the legacy (transparent) SMTP proxy can lead to remote code execution, if a quarantining policy is active for Email and SFOS was upgraded from a version older than 21.0 GA Sophos said CVE-2025-6704 affects about 0.05% of devices, while CVE-2025-7624 impacts as many as 0.73% of devices. Both vulnerabilities have been addressed alongside a high-severity command injection v...

A threat activity cluster has been observed targeting fully-patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances as part of a campaign designed to drop a backdoor called OVERSTEP . The malicious activity, dating back to at least October 2024, has been attributed by the Google Threat Intelligence Group (GTIG) to a hacking crew it tracks as UNC6148 . The number of known victims is "limited" at this stage. The tech giant assessed with high confidence that the threat actor is "leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates." "Analysis of network traffic metadata records suggests that UNC6148 may have initially exfiltrated these credentials from the SMA appliance as early as January 2025." The exact initial access vector used to deliver the malware is currently not known due to the steps taken by the...

SonicWall has released patches to address three security flaws affecting SMA 100 Secure Mobile Access (SMA) appliances that could be fashioned to result in remote code execution. The vulnerabilities are listed below - CVE-2025-32819 (CVSS score: 8.8) - A vulnerability in SMA100 allows a remote authenticated attacker with SSL-VPN user privileges to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to factory default settings. CVE-2025-32820 (CVSS score: 8.3) - A vulnerability in SMA100 allows a remote authenticated attacker with SSL-VPN user privileges can inject a path traversal sequence to make any directory on the SMA appliance writable CVE-2025-32821 (CVSS score: 6.7) - A vulnerability in SMA100 allows a remote authenticated attacker with SSL-VPN admin privileges can with admin privileges can inject shell command arguments to upload a file on the appliance "An attacker with access to an SMA SSL-VPN user account can chain...

SonicWall has revealed that two now-patched security flaws impacting its SMA100 Secure Mobile Access (SMA) appliances have been exploited in the wild. The vulnerabilities in question are listed below - CVE-2023-44221 (CVSS score: 7.2) - Improper neutralization of special elements in the SMA100 SSL-VPN management interface allows a remote authenticated attacker with administrative privilege to inject arbitrary commands as a 'nobody' user, potentially leading to OS Command Injection Vulnerability CVE-2024-38475 (CVSS score: 9.8) - Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to file system locations that are permitted to be served by the server Both the flaws affect SMA 100 Series devices, including SMA 200, 210, 400, 410, 500v, and were addressed in the following versions - CVE-2023-44221 - 10.2.1.10-62sv and higher versions (Fixed on December 4, 2023) CVE-2024-38475 - 10.2.1.14-75sv and higher ve...