Home » Security News » Researchers Warn of Large-Scale SonicWall SSLVPN A...

Researchers Warn of Large-Scale SonicWall SSLVPN Account Compromise

Deepanker Verma October 13, 2025 Security

Add Techlomedia as a preferred source on Google.

Security researchers have discovered that more than 100 SonicWall SSLVPN accounts have been compromised in a large-scale campaign. Attackers used stolen, valid credentials to access these accounts.

The activity started around October 4, according to managed cybersecurity platform Huntress, and affected multiple customer environments. In some cases, the attackers disconnected quickly. In others, they performed network scans and tried to access local Windows accounts.

Huntress explained that the attackers are logging into multiple accounts very quickly. It shows that they control valid credentials rather than attempting a brute-force attack. The compromised accounts spanned 16 different environments protected by Huntress. Most malicious activity came from the IP address 202.155.8[.]73.

After authentication, the attackers focused on reconnaissance and lateral movement, trying to access many local Windows accounts. Huntress also clarified that these compromises do not appear to be connected to the recent SonicWall breach that exposed cloud backup firewall configuration files.

SonicWall’s configuration files contain highly sensitive information, but they are encoded, and credentials are encrypted with AES-256, meaning attackers cannot easily read them even if they access the files.

SonicWall recommends administrators take the following steps:

Reset and update all local user passwords and temporary access codes
Update passwords on LDAP, RADIUS, or TACACS+ servers
Update secrets in IPSec site-to-site and GroupVPN policies
Update and reset L2TP/PPPoE/PPTP WAN interface passwords

Huntress recommends several additional measures to reduce risk. Administrators should restrict WAN management and remote access when they are not needed, and disable or limit HTTP, HTTPS, SSH, and SSL VPN until all secrets have been rotated. They should also revoke external API keys, dynamic DNS entries, and SMTP or FTP credentials, while ensuring that all admin and remote accounts are protected with multi-factor authentication. Finally, any services that are reintroduced should be done in a staged manner to carefully monitor for suspicious activity at each step.

Follow Techlomedia on Google News to stay updated.

Affiliate Disclosure:

This article may contain affiliate links. We may earn a commission on purchases made through these links at no extra cost to you.

About the Author: Deepanker Verma

Deepanker Verma is the Founder and Editor-in-Chief of TechloMedia. He holds Engineering degree in Computer Science and has over 15 years of experience in the technology sector. Deepanker bridges the gap between complex engineering and consumer electronics. He is also a a known Security Researcher acknowledged by global giants including Apple, Microsoft, and eBay. He uses his technical background to rigorously test gadgets, focusing on performance, security, and long-term value.