The reported security threat involves a widespread compromise of SonicWall SSL VPN devices, with over 100 accounts across 16 customer environments impacted since early October 2025. Cybersecurity firm Huntress observed that threat actors rapidly authenticated into multiple accounts on compromised SonicWall VPN devices, suggesting possession of valid credentials rather than brute-force attacks. The attackers originated from a specific IP address (202.155.8[.]73) and exhibited varied behaviors: some disconnected shortly after access, while others performed network scanning and attempted to access local Windows accounts, indicating reconnaissance and potential lateral movement. This compromise follows a SonicWall security incident where firewall configuration backup files stored in MySonicWall cloud accounts were exposed. These files contain sensitive information such as user, group, domain settings, DNS, logs, and certificates, which could facilitate further exploitation if leveraged by attackers. Although no direct link between the backup file exposure and the VPN compromises has been established, the presence of sensitive credentials in these backups raises concern. Additionally, the threat landscape includes increased ransomware activity targeting SonicWall devices, notably the Akira ransomware campaign exploiting known vulnerabilities like CVE-2024-40766. This campaign involves network scanning, privilege escalation, lateral movement, and data exfiltration, underscoring the critical need for timely patching and robust security controls. The attack vector primarily involves credential compromise, enabling attackers to bypass authentication controls and gain network access. The lack of evidence for brute force attacks implies that credentials may have been harvested through phishing, previous breaches, or other means. The threat actors’ ability to move laterally and attempt privilege escalation within networks increases the risk of data theft, ransomware deployment, and operational disruption.

For European organizations, this threat poses significant risks due to the widespread use of SonicWall VPNs for secure remote access and the reliance on MySonicWall cloud backup services. Compromise of VPN credentials can lead to unauthorized network access, enabling attackers to conduct reconnaissance, move laterally, escalate privileges, and potentially deploy ransomware or exfiltrate sensitive data. The exposure of firewall configuration backups further exacerbates the risk by providing attackers with detailed network and security configurations, facilitating targeted attacks. Organizations in sectors with high regulatory requirements for data protection, such as finance, healthcare, and critical infrastructure, face increased compliance and reputational risks if breaches occur. The medium severity rating reflects the potential for significant confidentiality and integrity impacts, although the availability impact may vary depending on attacker actions. The threat also highlights the importance of securing remote access infrastructure, especially as hybrid and remote work models remain prevalent across Europe. Failure to mitigate this threat could result in operational disruptions, financial losses, regulatory penalties, and erosion of customer trust.

European organizations should implement a multi-layered defense strategy tailored to this threat. First, immediately reset all credentials on SonicWall VPN devices and MySonicWall cloud backup accounts to invalidate potentially compromised credentials. Enforce strong, unique passwords and implement multi-factor authentication (MFA) for all administrative and remote access accounts to reduce the risk of unauthorized access. Restrict WAN management and remote access to trusted IP addresses and networks wherever feasible to limit the attack surface. Revoke any external API keys associated with firewall or management systems to prevent abuse. Continuously monitor VPN and firewall logs for unusual login patterns, such as rapid authentications or logins from unfamiliar IP addresses, and establish alerting mechanisms for suspicious activities. Ensure all SonicWall devices are fully patched, especially addressing known vulnerabilities like CVE-2024-40766, to close exploited attack vectors. Conduct regular security assessments and penetration testing focused on VPN and firewall infrastructure. Educate users and administrators on phishing and credential theft risks to reduce the likelihood of credential compromise. Finally, develop and test incident response plans that include procedures for VPN compromise scenarios to enable rapid containment and recovery.