Executive Summary
In October 2025, a widespread cyberattack compromised more than 100 SonicWall SSLVPN accounts across 16 customer environments through the use of stolen, valid credentials. Researchers at Huntress observed the attackers rapidly authenticating into multiple accounts, with some sessions ending abruptly while others progressed to network reconnaissance and attempts at lateral movement by targeting local Windows accounts. The campaign began around October 4, 2025, with most attack traffic tracing back to a single IP address. Although there is no direct link to a previous breach involving SonicWall firewall configuration files, the incident underscores a substantial exposure risk to sensitive systems, business operations, and potentially regulatory compliance requirements.
This incident highlights the evolving threat landscape, where credential compromise—not brute force—enables rapid, large-scale intrusions into VPN infrastructures. The continued prevalence of identity-driven attacks against remote access systems amplifies the urgency for enhanced credential hygiene, multi-factor authentication, and zero-trust access controls in the face of sophisticated adversaries.
Why This Matters Now
The surge of credential-based VPN intrusions signals an urgent need to reassess VPN and remote access defenses. SonicWall's breach shows that valid user credentials remain a primary target for attackers, emphasizing the critical importance of prompt credential rotation, comprehensive monitoring, and deployment of multifactor authentication to mitigate the risk of similar exploitation.
Attack Path Analysis
Attackers initiated the breach by exploiting stolen valid credentials to access SonicWall SSLVPN services. With VPN access, they attempted to escalate privileges by probing local Windows accounts for broader access. The adversaries conducted reconnaissance and lateral movement, scanning the internal network and attempting to access additional internal resources. Although not all details are clear, control over VPN sessions could enable establishment of command and control channels. Exfiltration was possible via encrypted channels, but evidence is not explicit. The overall impact included widespread unauthorized access, operational disruptions, and risk of further compromise.
Kill Chain Progression
Initial Compromise
Description
Adversaries used previously stolen, valid SonicWall VPN credentials to authenticate remotely and gain access to internal resources.
Related CVEs
CVE-2024-40766
CVSS 9.6An improper access control vulnerability in SonicWall SonicOS allows remote attackers to bypass authentication mechanisms.
Affected Products:
SonicWall SonicOS – 7.0.1-5035 and earlier
Exploit Status:
exploited in the wildCVE-2024-53704
CVSS 7.2An authentication bypass vulnerability in SonicWall SonicOS SSLVPN allows remote attackers to hijack active SSL VPN client sessions.
Affected Products:
SonicWall SonicOS – 7.1.1-7058 and older, 7.1.2-7019, 8.0.0-8035
Exploit Status:
exploited in the wildCVE-2024-40762
CVSS 7.1Use of a cryptographically weak pseudo-random number generator in SonicWall SonicOS SSLVPN authentication token generator allows potential authentication bypass.
Affected Products:
SonicWall SonicOS – Gen 6 devices, Gen 7 devices, TZ80 series
Exploit Status:
exploited in the wildCVE-2025-40601
CVSS 7.5A stack-based buffer overflow vulnerability in SonicWall SonicOS SSLVPN service allows unauthenticated remote attackers to cause a denial of service.
Affected Products:
SonicWall SonicOS – Gen8 and Gen7 firewalls
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Valid Accounts
Credential Stuffing
Remote Services: VPN
Network Service Scanning
Account Discovery: Domain Accounts
System Information Discovery
Phishing
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for Remote Access
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Multi-Factor Authentication
Control ID: 500.12
DORA (EU Digital Operational Resilience Act) – ICT Risk Management—Access Control
Control ID: Article 9(2)
CISA Zero Trust Maturity Model 2.0 – Centralized Identity Management and MFA
Control ID: Identity Pillar - 1.2
NIS2 Directive – Access Control Policies
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
SonicWall VPN credential compromise threatens encrypted traffic and egress security, requiring immediate password resets and MFA implementation per compliance frameworks.
Health Care / Life Sciences
Healthcare networks face lateral movement risks through compromised VPN accounts, violating HIPAA encryption requirements and enabling potential PHI data exfiltration.
Government Administration
Government agencies must implement zero trust segmentation and threat detection capabilities to prevent reconnaissance attacks through stolen VPN credentials.
Information Technology/IT
IT service providers managing multicloud environments need enhanced visibility and anomaly detection to protect against widespread credential-based VPN compromises.
Sources
- SonicWall VPN accounts breached using stolen creds in widespread attackshttps://www.bleepingcomputer.com/news/security/sonicwall-vpn-accounts-breached-using-stolen-creds-in-widespread-attacks/Verified
- SonicWall SSL-VPN SMA100 version 10.X is affected by multiple vulnerabilitieshttps://www.sonicwall.com/support/knowledge-base/sonicwall-ssl-vpn-sma100-version-10-x-is-affected-by-multiple-vulnerabilities/231127094418307Verified
- SonicWall tells customers to patch SonicOS flaw allowing hackers to crash firewallshttps://www.techradar.com/pro/security/sonicwall-tells-customers-to-patch-sonicos-flaw-allowing-hackers-to-crash-firewallsVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, traffic inspection, anomaly detection, and strong policy enforcement would have significantly limited unauthorized VPN access, blocked lateral movement, and alerted on suspicious activity during the attack lifecycle.
Control: Threat Detection & Anomaly Response
Mitigation: Anomalous VPN logins from unexpected geo/IPs would trigger rapid detection and alerting.
Control: Zero Trust Segmentation
Mitigation: Limits reach of compromised VPN sessions to only least-privilege permitted systems.
Control: East-West Traffic Security
Mitigation: Unauthorized lateral connections and network scans are blocked or logged.
Control: Inline IPS (Suricata)
Mitigation: Inline inspection detects and blocks known C2 patterns, exploits, or unauthorized tunnels.
Control: Egress Security & Policy Enforcement
Mitigation: Unauthorized outbound connections and data exfiltration attempts are blocked and logged.
Centralized monitoring and real-time visibility accelerate detection, response, and recovery.
Impact at a Glance
Affected Business Functions
- Remote Access
- Network Security
- Data Protection
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive network configuration files and user credentials, leading to unauthorized access and data breaches.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce granular Zero Trust segmentation for all VPN, management, and internal network traffic to deny default lateral movement.
- • Deploy Threat Detection & Anomaly Response to baseline normal activity and rapidly detect suspicious logins or patterns indicative of credential misuse.
- • Apply egress security and policy enforcement controls to strictly limit outbound data flows and alert on unsanctioned destinations.
- • Integrate Inline IPS and east-west inspection to identify, block, and alert on malicious traffic internally and externally.
- • Centralize multicloud visibility to accelerate investigation, enable real-time incident response, and validate segmentation controls across environments.
