CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

SonicWall MySonicWall Breach Exposes Firewall Configuration Files

First reported
Last updated
4 unique sources, 12 articles

Summary

Hide ▲

SonicWall has disclosed a new zero-day attack chain targeting its SMA1000 Appliance Management Console (AMC), involving CVE-2025-40602 (privilege escalation) and CVE-2025-23006 (pre-authentication deserialization) to achieve unauthenticated remote code execution. Over 950 SMA1000 appliances remain exposed online, heightening risks for enterprises and critical infrastructure. SonicWall urges immediate patching to the latest hotfix release. Earlier, SonicWall confirmed that all customers using its cloud backup service had firewall configuration files accessed by unauthorized actors, exposing AES-256-encrypted credentials. The breach, initially attributed to brute-force attacks, expanded to include the deployment of OVERSTEP malware on SMA 100 series devices and widespread compromise of over 100 SSL VPN accounts. Akira ransomware actors exploited unpatched devices (CVE-2024-40766) and bypassed MFA using stolen OTP seeds. SonicWall has released remediation tools, firmware updates, and collaborated with Mandiant and law enforcement to mitigate risks. No evidence has emerged of threat actors leveraging exposed data in follow-on attacks. The threat landscape for SonicWall devices continues to evolve, with state-backed actors linked to the September breach and persistent exploitation of unpatched vulnerabilities. Customers are advised to prioritize credential resets, firmware updates, and MFA enforcement, while monitoring for signs of compromise such as log deletions, unauthorized reboots, or persistent admin sessions.

Timeline

  1. 17.12.2025 19:44 1 articles · 23h ago

    SonicWall discloses SMA1000 zero-day attack chain with privilege escalation and RCE

    SonicWall warned of a zero-day attack chain targeting the SMA1000 Appliance Management Console (AMC), involving CVE-2025-40602 (medium-severity local privilege escalation) and CVE-2025-23006 (critical-severity pre-authentication deserialization). Attackers chained these flaws to execute arbitrary OS commands with root privileges under specific conditions. CVE-2025-23006 was patched in build version 12.4.3-02854 and higher (released January 22, 2025), but unpatched SMA1000 appliances remain at risk. Shadowserver tracks over 950 exposed SMA1000 devices online, heightening risks for enterprises, governments, and critical infrastructure. SonicWall PSIRT strongly advises upgrading to the latest hotfix release to address the vulnerabilities. This attack chain does not affect SSL-VPN services on SonicWall firewalls.

    Show sources
    Open in new tab
  2. 11.10.2025 16:30 1 articles · 2mo ago

    Over 100 SonicWall SSL VPN accounts compromised in widespread attack

    Over 100 SonicWall SSL VPN accounts across 16 customer accounts have been compromised. The compromised accounts were accessed rapidly, indicating the use of valid credentials rather than brute-forcing. The activity commenced on October 4, 2025, and originated from the IP address 202.155.8[.]73. In some cases, threat actors conducted network scanning and attempted to access local Windows accounts. Huntress has not found evidence linking this compromise to the previously reported breach of MySonicWall accounts.

    Show sources
    Open in new tab
  3. 09.10.2025 14:10 5 articles · 2mo ago

    SonicWall releases remediation tools and guidance for impacted customers

    SonicWall has advised organizations using the MySonicWall cloud configuration backup service to reset credentials, restrict WAN management, revoke external API keys, monitor logins, and enforce MFA. Organizations are also advised to consider the use of valid credentials rather than brute-forcing.

    Show sources
    Open in new tab
  4. 24.09.2025 16:00 1 articles · 2mo ago

    UNC6148 deploys OVERSTEP malware on SonicWall SMA devices

    The threat actor UNC6148 has been deploying the OVERSTEP malware, a previously unknown persistent backdoor/user-mode rootkit, to maintain persistent access, steal sensitive credentials, and conceal its own components. The malware modifies the appliance's boot process to evade detection and hide files and activity. UNC6148 may have used an unknown zero-day remote code execution vulnerability to deploy OVERSTEP on SonicWall SMA appliances. Potential vulnerabilities exploited by UNC6148 include CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039, and CVE-2025-32819.

    Show sources
    Open in new tab
  5. 23.09.2025 16:15 2 articles · 2mo ago

    SonicWall releases firmware update to remove rootkit malware from SMA 100 devices

    The OVERSTEP malware modifies the appliance's boot process to maintain persistent access, steal sensitive credentials, and conceal its own components. The malware allows attackers to remove log entries to evade detection and hide files and activity. UNC6148 may have used an unknown zero-day remote code execution vulnerability to deploy OVERSTEP on SonicWall SMA appliances. Potential vulnerabilities exploited by UNC6148 include CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039, and CVE-2025-32819. SonicWall has advised customers to look for signs of compromise, such as gaps or deletions in SMA logs, unexpected appliance reboots, persistent admin sessions, unauthorized configuration changes, and reoccurring access following patching or resets. CISA recommends upgrading firmware, replacing and rebuilding SMA 500v, resetting OTP bindings, enforcing MFA, resetting passwords, and replacing certificates with private keys stored on the appliance.

    Show sources
    Open in new tab
  6. 18.09.2025 17:12 3 articles · 3mo ago

    Akira ransomware group targets unpatched SonicWall devices

    Akira ransomware group bypasses MFA on SonicWall VPN accounts using previously stolen OTP seeds. The group employs Impacket SMB session setup requests, RDP logins, and Active Directory enumeration tools. They target Veeam Backup & Replication servers to extract and decrypt stored credentials. Additionally, the attackers employ BYOVD attacks to disable endpoint protection processes, allowing the ransomware to run without being blocked. This activity impacts devices running SonicOS 7.3.0, the recommended release for mitigating credential attacks.

    Show sources
    Open in new tab
  7. 17.09.2025 19:23 9 articles · 3mo ago

    SonicWall MySonicWall breach exposes firewall configuration files

    The breach affected all customers using the cloud backup service. The exposed files contain AES-256-encrypted credentials and configuration data. Users can check if their devices are among the impacted ones by logging into MySonicWall and going to 'Product Management → Issue List.' Administrators should follow the Essential Credential Reset steps, prioritizing active, internet-facing firewalls. SonicWall initially reported that fewer than 5% of firewall customers were affected by the breach, but later confirmed that all customers using the cloud backup service were impacted.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Cyber Incident Affects Multiple London Councils

Multiple local authorities in London, including the Royal Borough of Kensington and Chelsea (RBKC) and Westminster City Council (WCC), are responding to a serious cybersecurity incident identified on Monday morning. The incident has impacted several systems, including phone lines, and both councils have notified the UK Information Commissioner’s Office (ICO) and are working with the National Cyber Security Centre (NCSC) on incident response. RBKC and WCC share IT systems and services, which may explain the simultaneous impact. Hammersmith and Fulham Council is also reportedly affected. RBKC confirmed that some data has been copied and taken away, potentially impacting historical data. The councils have invoked business continuity and emergency plans to ensure critical services are maintained, focusing on supporting the most vulnerable residents. RBKC's IT team worked throughout the night to implement mitigations. Additionally, Hackney Council raised internal cybersecurity threat levels to 'critical' and warned staff about phishing attacks, despite not being directly affected by this incident. RBKC expects at least two weeks of continued disruption as they bring services back online. Westminster City Council confirmed the disruption would last for several weeks, though most services are still running. Hammersmith and Fulham Council has taken steps to isolate and safeguard its networks, with some systems still unavailable.

Open in new tab

Sensitive Data Exposed via Publicly Accessible Code-Formatting Tools

Over 80,000 JSON snippets containing sensitive credentials, authentication keys, and configuration data from organizations in critical sectors were exposed through the Recent Links feature of JSONFormatter and CodeBeautify. The data, totaling over 5GB, included Active Directory credentials, database and cloud credentials, private keys, CI/CD secrets, payment gateway keys, API tokens, SSH session recordings, and personally identifiable information (PII). Researchers found that threat actors actively scanned and accessed this exposed data, with some organizations failing to remediate the issue. The exposed data impacted sectors such as government, banking, healthcare, and cybersecurity, with some credentials linked to major financial exchanges and managed security service providers (MSSPs). The Recent Links feature, which lacks access controls, allows anyone to scrape the data using predictable URLs. Researchers also set up a honeypot to confirm that threat actors were actively scanning for sensitive information, with access attempts recorded even after the links had expired. Both JSONFormatter and CodeBeautify have temporarily disabled the save functionality in response to the research, claiming they are working on enhanced NSFW content prevention measures.

Open in new tab

Fortinet FortiWeb Vulnerabilities Exploited in the Wild

Fortinet has disclosed a new medium-severity vulnerability (CVE-2025-58034) in FortiWeb, which is being actively exploited. This vulnerability, with a CVSS score of 6.7, allows authenticated attackers to execute unauthorized code via crafted HTTP requests or CLI commands. The flaw was patched in version 8.0.2. Additionally, Fortinet silently patched another critical FortiWeb vulnerability (CVE-2025-64446, CVSS score: 9.1) in the same version. Exploitation campaigns have been observed chaining these vulnerabilities to facilitate authentication bypass and command injection. Fortinet's handling of these disclosures has been criticized for its delayed and fragmented approach. This development highlights the ongoing risks associated with unpatched vulnerabilities in network security appliances and the importance of timely and transparent disclosure practices.

Open in new tab

SonicWall SonicOS SSLVPN Stack-Based Buffer Overflow Vulnerability

SonicWall has disclosed a high-severity stack-based buffer overflow vulnerability (CVE-2025-40601) in SonicOS SSLVPN that allows unauthenticated attackers to cause a denial-of-service (DoS) condition, crashing affected firewalls. The flaw impacts Gen8 and Gen7 hardware and virtual firewalls. SonicWall has not observed active exploitation and urges users to apply patches or mitigate the risk by disabling the SSLVPN service or restricting access to trusted sources. Additionally, SonicWall patched two vulnerabilities in its Email Security appliances that could lead to arbitrary code execution and information disclosure.

Open in new tab

Landfall Android Spyware Exploits Samsung Zero-Day via WhatsApp

The Landfall Android spyware targeted Samsung devices through a zero-day vulnerability (CVE-2025-21042) in a Samsung image processing library. The exploit was delivered via a malicious DNG image sent through WhatsApp, affecting Samsung Galaxy S22, S23, S24, Z Fold4, and Z Flip4 phones. The spyware enables microphone recording, location tracking, and data exfiltration. The attacks have been ongoing since at least July 2024, and the vulnerability was patched by Samsung in April. The threat actor, tracked as CL-UNK-1054, remains unidentified, with potential links to the Stealth Falcon group and other surveillance vendors. The attacks primarily targeted individuals in the Middle East and North Africa. The exploit involved a zero-click approach, and the malicious DNG files contained an embedded ZIP file with a shared object library to run the spyware. The spyware manipulated the device's SELinux policy to gain elevated permissions and facilitate persistence, and communicated with a command-and-control (C2) server over HTTPS for beaconing and receiving next-stage payloads. The spyware can fingerprint devices based on hardware and SIM IDs and targets a broad range of Samsung’s latest flagship models, excluding the latest S25 series devices. Unit 42 identified six C2 servers linked to the LandFall campaign, with some flagged by Turkey’s CERT. C2 domain registration and infrastructure patterns share similarities with those seen in Stealth Falcon operations, originating from the United Arab Emirates. CISA has added CVE-2025-21042 to its Known Exploited Vulnerabilities catalog, ordering federal agencies to patch within three weeks.

Open in new tab