CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

SonicWall MySonicWall Breach Exposes Firewall Configuration Files

First reported
Last updated
4 unique sources, 11 articles

Summary

Hide ▲

SonicWall has confirmed that all customers using its cloud backup service had firewall configuration files accessed by an unauthorized actor. The accessed backup files contain AES-256-encrypted credentials and configuration data, increasing the risk of targeted attacks. The breach, initially detected in early September 2025, was caused by brute-force attacks. SonicWall has advised customers to reset credentials, update secrets, and follow detailed guidance to mitigate potential risks. The company has cut off attackers' access and is collaborating with Mandiant and law enforcement agencies. Additionally, the Akira ransomware group has been targeting unpatched SonicWall devices, exploiting a year-old security flaw (CVE-2024-40766) and bypassing MFA on VPN accounts using previously stolen OTP seeds. There is no evidence that threat actors have leveraged exposed data against impacted customers in attacks at this time. In September 2025, SonicWall disclosed a security breach affecting MySonicWall accounts, resulting in the exposure of firewall configuration backup files for all customers using the cloud backup service. The breach, caused by a series of brute-force attacks, could facilitate easier exploitation of SonicWall firewalls by threat actors. SonicWall has advised customers to reset credentials, update secrets, and follow detailed guidance to mitigate potential risks. The company has cut off attackers' access and is collaborating with cybersecurity and law enforcement agencies. The exposed files may contain sensitive information, such as credentials and tokens, for services running on SonicWall devices. Additionally, the Akira ransomware group has been targeting unpatched SonicWall devices, exploiting a year-old security flaw (CVE-2024-40766) and bypassing MFA on VPN accounts using previously stolen OTP seeds. SonicWall confirmed that attackers accessed the API service for cloud backup and there is no evidence that threat actors have leveraged exposed data against impacted customers in attacks at this time. The threat actor UNC6148 has been deploying the OVERSTEP malware, a previously unknown persistent backdoor/user-mode rootkit, to maintain persistent access, steal sensitive credentials, and conceal its own components. The malware modifies the appliance's boot process to evade detection and hide files and activity. UNC6148 may have used an unknown zero-day remote code execution vulnerability to deploy OVERSTEP on SonicWall SMA appliances. Potential vulnerabilities exploited by UNC6148 include CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039, and CVE-2025-32819. SonicWall has advised customers to look for signs of compromise, such as gaps or deletions in SMA logs, unexpected appliance reboots, persistent admin sessions, unauthorized configuration changes, and reoccurring access following patching or resets. CISA recommends upgrading firmware, replacing and rebuilding SMA 500v, resetting OTP bindings, enforcing MFA, resetting passwords, and replacing certificates with private keys stored on the appliance. Over 100 SonicWall SSL VPN accounts across 16 customer accounts have been compromised. The compromised accounts were accessed rapidly, indicating the use of valid credentials rather than brute-forcing. The compromised accounts were accessed from the IP address 202.155.8[.]73. In some cases, threat actors conducted network scanning and attempted to access local Windows accounts. Huntress has not found evidence linking the breach to the recent spike in compromises.

Timeline

  1. 11.10.2025 16:30 1 articles · 4d ago

    Over 100 SonicWall SSL VPN accounts compromised in widespread attack

    Over 100 SonicWall SSL VPN accounts across 16 customer accounts have been compromised. The compromised accounts were accessed rapidly, indicating the use of valid credentials rather than brute-forcing. The activity commenced on October 4, 2025, and originated from the IP address 202.155.8[.]73. In some cases, threat actors conducted network scanning and attempted to access local Windows accounts. Huntress has not found evidence linking this compromise to the previously reported breach of MySonicWall accounts.

    Show sources
    Open in new tab
  2. 09.10.2025 14:10 5 articles · 6d ago

    SonicWall releases remediation tools and guidance for impacted customers

    SonicWall has advised organizations using the MySonicWall cloud configuration backup service to reset credentials, restrict WAN management, revoke external API keys, monitor logins, and enforce MFA. Organizations are also advised to consider the use of valid credentials rather than brute-forcing.

    Show sources
    Open in new tab
  3. 24.09.2025 16:00 1 articles · 21d ago

    UNC6148 deploys OVERSTEP malware on SonicWall SMA devices

    The threat actor UNC6148 has been deploying the OVERSTEP malware, a previously unknown persistent backdoor/user-mode rootkit, to maintain persistent access, steal sensitive credentials, and conceal its own components. The malware modifies the appliance's boot process to evade detection and hide files and activity. UNC6148 may have used an unknown zero-day remote code execution vulnerability to deploy OVERSTEP on SonicWall SMA appliances. Potential vulnerabilities exploited by UNC6148 include CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039, and CVE-2025-32819.

    Show sources
    Open in new tab
  4. 23.09.2025 16:15 2 articles · 22d ago

    SonicWall releases firmware update to remove rootkit malware from SMA 100 devices

    The OVERSTEP malware modifies the appliance's boot process to maintain persistent access, steal sensitive credentials, and conceal its own components. The malware allows attackers to remove log entries to evade detection and hide files and activity. UNC6148 may have used an unknown zero-day remote code execution vulnerability to deploy OVERSTEP on SonicWall SMA appliances. Potential vulnerabilities exploited by UNC6148 include CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039, and CVE-2025-32819. SonicWall has advised customers to look for signs of compromise, such as gaps or deletions in SMA logs, unexpected appliance reboots, persistent admin sessions, unauthorized configuration changes, and reoccurring access following patching or resets. CISA recommends upgrading firmware, replacing and rebuilding SMA 500v, resetting OTP bindings, enforcing MFA, resetting passwords, and replacing certificates with private keys stored on the appliance.

    Show sources
    Open in new tab
  5. 18.09.2025 17:12 3 articles · 27d ago

    Akira ransomware group targets unpatched SonicWall devices

    Akira ransomware group bypasses MFA on SonicWall VPN accounts using previously stolen OTP seeds. The group employs Impacket SMB session setup requests, RDP logins, and Active Directory enumeration tools. They target Veeam Backup & Replication servers to extract and decrypt stored credentials. Additionally, the attackers employ BYOVD attacks to disable endpoint protection processes, allowing the ransomware to run without being blocked. This activity impacts devices running SonicOS 7.3.0, the recommended release for mitigating credential attacks.

    Show sources
    Open in new tab
  6. 17.09.2025 19:23 9 articles · 27d ago

    SonicWall MySonicWall breach exposes firewall configuration files

    The breach affected all customers using the cloud backup service. The exposed files contain AES-256-encrypted credentials and configuration data. Users can check if their devices are among the impacted ones by logging into MySonicWall and going to 'Product Management → Issue List.' Administrators should follow the Essential Credential Reset steps, prioritizing active, internet-facing firewalls. SonicWall initially reported that fewer than 5% of firewall customers were affected by the breach, but later confirmed that all customers using the cloud backup service were impacted.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Increased Scanning Activity on Palo Alto Networks Login Portals

A significant increase in scanning activity targeting Palo Alto Networks login portals was observed on October 3, 2025. The activity involved 1,300 unique IP addresses, with 91% classified as suspicious and 7% as malicious. The scans were geolocated primarily in the U.S., with smaller clusters in the U.K., the Netherlands, Canada, and Russia. The scans were directed at Palo Alto GlobalProtect and PAN-OS profiles, indicating targeted reconnaissance efforts. This surge shares characteristics with recent scanning activity targeting Cisco ASA devices, which was followed by the disclosure of zero-day vulnerabilities. The scans are likely part of a broader pattern of increased malicious activity targeting network security appliances. Palo Alto Networks customers are advised to ensure they are running the latest software versions. Additionally, an increase in exploitation attempts of an old path traversal vulnerability in Grafana was observed, with 110 unique malicious IPs, most from Bangladesh, launching attacks on September 28, 2025. GreyNoise will continue monitoring the activity in case it precedes a new Palo Alto vulnerability disclosure. Security products remain a popular target for threat actors, with recent increases in attacks from the Akira ransomware group aimed at SonicWall SSL VPN appliances. AI is being used by cyber-threat actors to enhance existing tactics, techniques, and procedures (TTPs) in victim reconnaissance, vulnerability research, and exploit development.

Open in new tab

Increased Scanning for PAN-OS GlobalProtect Vulnerability

SANS Internet Storm Center has observed a significant rise in internet-wide scans targeting the critical PAN-OS GlobalProtect vulnerability (CVE-2024-3400). This flaw, disclosed last year, allows unauthenticated attackers to execute arbitrary code with root privileges on affected firewalls. The scans involve attempts to upload and retrieve files, indicating potential pre-exploit staging activities. The vulnerability is a command injection flaw that can be exploited to gain unauthorized access and control over vulnerable firewalls. This development underscores the ongoing threat posed by unpatched systems and the importance of timely security updates. The scans are part of a broader trend of increased cyber activity targeting critical infrastructure and enterprise networks.

Open in new tab

Clop extortion campaign targets Oracle E-Business Suite

The Clop ransomware gang has been exploiting multiple vulnerabilities in Oracle E-Business Suite since at least August 2025, including the zero-day vulnerability CVE-2025-61882. The gang has been sending extortion emails to executives at multiple organizations, claiming to have stolen sensitive data. The campaign involves a high-volume email blast from hundreds of compromised accounts, some previously linked to the FIN11 threat group. The emails contain contact addresses known to be listed on the Clop ransomware gang's data leak site. CrowdStrike attributes the exploitation of CVE-2025-61882 to the Cl0p ransomware gang with moderate confidence, and the first known exploitation occurred on August 9, 2025. The exploit involves an HTTP request to /OA_HTML/SyncServlet, resulting in an authentication bypass. Oracle has released an emergency patch for the zero-day vulnerability and shared indicators of compromise. The exploit was leaked by a group called Scattered Lapsus$ Hunters, raising questions about their potential collaboration with Clop. Oracle has confirmed that known vulnerabilities in its E-Business Suite, patched in July 2025, may have been exploited in these attacks. The July 2025 Critical Patch Update addressed 309 vulnerabilities across Oracle's product range, including nine for E-Business Suite. Three of these vulnerabilities are critical and three others are exploitable remotely without authentication. The extortion emails are part of a broader campaign, with the attackers sending messages from compromised accounts, some previously associated with the FIN11 threat group. The emails contain contact addresses known to be listed on the Clop ransomware gang's data leak site. Mandiant and GTIG are investigating the claims and recommend that organizations receiving these emails investigate their environments for unusual access or compromise in their Oracle E-Business Suite platforms. The UK’s National Cyber Security Centre (NCSC) has advised Oracle EBS customers to patch the critical vulnerability CVE-2025-61882, which is being exploited by the Clop ransomware group. The NCSC has urged customers to apply an emergency security update from Oracle, published over the weekend, to address the zero-day vulnerability CVE-2025-61882. The vulnerability impacts Oracle EBS versions 12.2.3-12.2.14 and allows unauthenticated attackers to send specially crafted HTTP requests to the affected component, resulting in full system compromise. The NCSC has warned that the Scattered Lapsus$ Hunters group has leaked the exploit used by the Clop gang, increasing the risk of opportunistic attacks on Oracle customers. Rapid7 has advised customers of affected Oracle EBS instances to conduct threat hunting to detect any potential malicious activity, given that exploitation in-the-wild may have occurred since August 2025. CISA has added CVE-2025-61882 to the Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply the fixes by October 27, 2025. WatchTowr Labs warns of potential mass, indiscriminate exploitation from multiple groups within days. Harvard University is the first confirmed victim of the recent cybercrime campaign targeting customers of Oracle’s E-Business Suite (EBS) solution. The hackers have made available over 1.3 TB of archive files that allegedly contain Harvard data. The organization believes the incident impacts a limited number of parties associated with a small administrative unit. The vulnerability exploited by the hackers has been patched and there is no evidence of other systems being compromised. Google’s Threat Intelligence Group (GTIG) and Mandiant believe dozens of organizations have been targeted. The cybercriminals behind the Oracle EBS campaign sent out extortion emails to executives at the targeted organizations on behalf of the Cl0p ransomware group, likely due to the reputation it has built after conducting similar campaigns in the past. Those campaigns targeted customers of Cleo, MOVEit, Fortra and Accellion file transfer products. The attacks targeting Oracle EBS customers appear to have involved the exploitation of known and zero-day vulnerabilities, as well as the deployment of sophisticated malware. CrowdStrike reported that exploitation of the software flaws appears to have started on August 9, but Google has seen some indication that the attacks may have begun as early as July 10.

Open in new tab

ArcaneDoor Campaign Exploits Cisco Zero-Day Vulnerabilities

A threat cluster dubbed ArcaneDoor has been exploiting two zero-day vulnerabilities in Cisco firewalls to deliver previously undocumented malware families, RayInitiator and LINE VIPER. These vulnerabilities, CVE-2025-20362 and CVE-2025-20333, allow attackers to bypass authentication and execute malicious code on susceptible appliances. The campaign is linked to a suspected China-linked hacking group known as UAT4356 (aka Storm-1849). The malware families represent a significant evolution in sophistication and evasion capabilities compared to previous campaigns. The attacks have been ongoing since at least September 2025, targeting organizations in various sectors. The exploitation of these vulnerabilities underscores the need for immediate patching and enhanced security measures for Cisco firewalls.

Open in new tab

CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03, mandating federal agencies to identify and mitigate zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) exploited by an advanced threat actor. The directive requires agencies to account for all affected devices, collect forensic data, and upgrade or disconnect end-of-support devices by September 26, 2025. The vulnerabilities allow threat actors to maintain persistence and gain network access. Cisco identified multiple zero-day vulnerabilities (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363, and CVE-2025-20352) in Cisco ASA, Firewall Threat Defense (FTD) software, and Cisco IOS software. These vulnerabilities enable unauthenticated remote code execution, unauthorized access, and denial of service (DoS) attacks. GreyNoise detected large-scale campaigns targeting ASA login portals and Cisco IOS Telnet/SSH services, indicating potential exploitation of these vulnerabilities. The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. CISA and Cisco linked these ongoing attacks to the ArcaneDoor campaign, which exploited two other ASA and FTD zero-days (CVE-2024-20353 and CVE-2024-20359) to breach government networks worldwide since November 2023. CISA ordered agencies to identify all Cisco ASA and Firepower appliances on their networks, disconnect all compromised devices from the network, and patch those that show no signs of malicious activity by 12 PM EDT on September 26. CISA also ordered that agencies must permanently disconnect ASA devices that are reaching the end of support by September 30 from their networks. The U.K. National Cyber Security Centre (NCSC) confirmed that threat actors exploited the recently disclosed security flaws in Cisco firewalls to deliver previously undocumented malware families like RayInitiator and LINE VIPER. Cisco began investigating attacks on multiple government agencies in May 2025, linked to the state-sponsored ArcaneDoor campaign. The attacks targeted Cisco ASA 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data. The threat actor modified ROMMON to facilitate persistence across reboots and software upgrades. The compromised devices include ASA 5500-X Series models running specific software releases with VPN web services enabled. The Canadian Centre for Cyber Security urged organizations to update to a fixed version of Cisco ASA and FTD products to counter the threat. Nearly 50,000 Cisco ASA and FTD appliances are vulnerable to actively exploited flaws. The vulnerabilities CVE-2025-20333 and CVE-2025-20362 enable arbitrary code execution and access to restricted URL endpoints. The Shadowserver Foundation discovered over 48,800 internet-exposed ASA and FTD instances still vulnerable to the flaws. The majority of vulnerable devices are located in the United States, followed by the United Kingdom, Japan, Germany, Russia, Canada, and Denmark. The Shadowserver Foundation's data is as of September 29, indicating a lack of response to the ongoing exploitation activity. Greynoise had warned on September 4 about suspicious scans targeting Cisco ASA devices, indicating upcoming undocumented flaws. CISA's emergency directive gave 24 hours to FCEB agencies to identify and upgrade vulnerable Cisco ASA and FTD instances. CISA advised that ASA devices reaching their end of support should be disconnected from federal networks by the end of September. The U.K. NCSC reported that the hackers deployed Line Viper shellcode loader malware and RayInitiator GRUB bootkit.

Open in new tab