The SonicWall VPN ecosystem has come under sustained attack from threat actors leveraging a combination of stolen credentials, improperly secured devices, and unpatched vulnerabilities. Recent investigations reveal that over 100 SonicWall VPN accounts across multiple environments have been compromised, exposing organizations to significant risk. Attackers have capitalized on flaws in SonicWall Secure Mobile Access (SMA) appliances and cloud backup systems to gain and retain control over customer environments—often bypassing even multi-factor authentication (MFA).
Attackers Exploit Both Known Vulnerabilities and Stolen OTP Seeds in SonicWall Devices
Credential Theft and MFA Bypass Techniques Are Widespread
According to Huntress, the compromise involved the use of valid SonicWall VPN credentials to rapidly authenticate into more than 100 user accounts spanning 16 customer environments. The threat actors, active since at least October 4, 2025, authenticated straight into systems, suggesting existing access to credential data rather than brute-force attacks. In many cases, the adversaries disconnected moments after logging in, likely assessing access or preparing additional stages of the operation.
Despite previous security patches addressing high-severity bugs like CVE-2024-40766—an Improper Access Control vulnerability with a CVSS score of 9.3—that has not deterred attackers. Akira ransomware operators in particular have continued to exploit SSL VPN endpoints, even on fully patched systems.
One-Time Password Seed Compromise Undermines MFA Defenses
A deeper look by TechRadar revealed that the MFA protections many organizations rely on were bypassed due to the theft of one-time password (OTP) seeds. In effect, attackers could generate legitimate OTPs and authenticate without resistance. These OTP seed thefts are likely the result of earlier zero-day exploits aimed at SonicWall SMA 100 series devices, many of which are now end-of-life (EOL).
A threat group tracked as UNC6148 has operationalized these techniques, combining stolen credentials and OTP seeds to maintain persistent access across compromised appliances. This group has been active since at least October 2024, and may also be using a custom user-mode rootkit named OVERSTEP to ensure long-term persistence, credential theft, and stealth across SonicWall ecosystems.
Exploits Extend to End-of-Life SonicWall Appliances and Unpatched Systems
UNC6148’s targets have included patched, legacy SonicWall devices running outdated firmware. Even with updated configurations, the attackers exploited previously unknown vulnerabilities to regain access. The presence of zero-day remote code execution flaws allowed them to discreetly deploy backdoors like OVERSTEP, which modifies the boot sequence for persistence and credentials exfiltration.
Separately, Arctic Wolf Labs tied at least 30 ransomware intrusions directly to unpatched SonicWall VPN vulnerabilities—most notably CVE-2024-40766. Their research also connects the increase in successful exploits to public exposure of SonicWall’s Virtual Office Portal and misconfigured default Lightweight Directory Access Protocol (LDAP) group settings. Applied in tandem, these misconfigurations allowed threat actors to escalate access or register additional authenticator apps under compromised accounts.
SonicWall Cloud Backup Breach Compounds the Risk With Configuration File Exposure
Misstated Impact Leads to Confusion Over Scope of Breach
SonicWall initially reported that fewer than 5% of its firewall customers were affected by the September 2025 breach of its firewall cloud backup service. However, a follow-up disclosure in October indicated that the breach impacted all users of the MySonicWall cloud backup platform. Attackers gained access to encrypted backup configuration files that contain:
- Network rules
- VPN configurations
- Access policies
- LDAP, RADIUS, SNMP service credentials
- Admin credentials (if stored)
Although the contents were encrypted, the risk of exposure through brute force or decryption cannot be dismissed. SonicWall’s updated mitigation guidance now includes deleting cloud-stored backups, rotating shared secrets, changing all credentials, and creating new local-only backups.
CISA and SonicWall Issue Urgent Mitigation Directives
Both the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and SonicWall have issued urgent advisories calling for proactive defense measures. Recommendations include:
- Patch all SonicWall VPN appliances, especially Gen5–Gen7 firewalls, SMA 100 series, and devices impacted by CVE-2024-40766.
- Reset all user and administrator credentials—both local and directory-integrated.
- Rotate OTP seeds and related MFA configurations.
- Restrict access to the Virtual Office Portal to known IP ranges or trusted internal networks.
- Monitor login attempts for unusual IP activity—such as attempts from 202.155.8[.]73, flagged in recent intrusions.
In addition, organizations are advised to implement strong alerting and logging for any sign of VPN or cloud backup access, as threat actors have shown a preference for maintaining stealthy access to conduct later-stage attacks like ransomware deployment.
A Shifting Threat Landscape Calls for Continuous Vigilance and Patch Discipline
This extended series of SonicWall VPN compromises underscores increasingly sophisticated tactics by cyber actors blending multiple intrusion vectors: stolen credentials, outdated firmware, cloud configuration theft, and rootkit-based persistence mechanisms. With ransomware operators like Akira and UNC6148 actively exploiting vulnerabilities—even on patched or MFA-protected devices—traditional safeguards are proving insufficient without holistic, layered defenses.
Security teams must assume that credential compromise is a given, and bolster protections through:
- Zero trust network models
- Complete lifecycle management of backup data
- Continuous validation of MFA configurations
- Strict isolation of web-exposed management portals
Failure to act promptly could leave organizations vulnerable not only to access breaches but also to extortion, data theft, and debilitating ransomware incidents.
For enterprises still running end-of-life SonicWall SMA 100 series hardware, the guidance is stark: decommission devices immediately and transition to supported platforms with up-to-date firmware and hardened authentication controls.
