{"id":39624,"date":"2025-10-12T11:09:04","date_gmt":"2025-10-12T09:09:04","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=39624"},"modified":"2025-10-12T19:10:00","modified_gmt":"2025-10-12T17:10:00","slug":"sonicwall-sslvpn-sicherheitslucken-breit-ausgenutzt","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2025\/10\/12\/sonicwall-sslvpn-sicherheitslucken-breit-ausgenutzt\/","title":{"rendered":"SonicWall SSLVPN compromised: Vulnerabilities widely exploited"},"content":{"rendered":"<p><img decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline;\" title=\"Sicherheit (Pexels, allgemeine Nutzung)\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2021\/04\/Sicherheit_klein.jpg\" alt=\"Sicherheit (Pexels, allgemeine Nutzung)\" width=\"200\" align=\"left\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/2025\/10\/12\/sonicwall-sslvpn-sicherheitsluecken-breit-ausgenutzt\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]Since October 4, 2025, security experts at Huntress have observed a sharp increase in compromised SonicWall SSLVPN instances. The nature of the attacks and the speed with which the attackers penetrate the systems suggest that they have valid login credentials.<\/p>\n<p><!--more--><\/p>\n<h2>The cloud backup incident<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/vg07.met.vgwort.de\/na\/75f05250b0054b7ca50fb381ce9ff6b7\" alt=\"\" width=\"1\" height=\"1\" \/>SonicWall recently experienced a security incident in which backup files of the firewall configuration were exposed. Unauthorized persons were able to view this information via the Internet. SonicWall disclosed the incident on September 17, 2025, in the support article <a href=\"https:\/\/www.sonicwall.com\/support\/knowledge-base\/mysonicwall-cloud-backup-file-incident\/250915160910330\" target=\"_blank\" rel=\"noopener\">MySonicWall Cloud Backup File Incident<\/a>. I reported on this in the blog post <a href=\"https:\/\/borncity.com\/win\/2025\/09\/17\/mysonicwall-cloud-backup-file-incident-configuration-backup-disclosed\/\" rel=\"bookmark\">MySonicWall Cloud Backup File Incident: Configuration backup disclosed<\/a>.<\/p>\n<p>It is now known that all customers who have used MySonicWall Cloud Backup are affected by this incident (see <a href=\"https:\/\/borncity.com\/win\/2025\/10\/10\/mysonicwall-cloud-backup-file-incident-all-customers-affected\/\" rel=\"bookmark\">MySonicWall Cloud Backup File Incident: All customers affected<\/a>). It is also known that the ransomware group Akira can hack SonicWall VPN accounts and bypass MFA security (see <a href=\"https:\/\/borncity.com\/win\/2025\/09\/30\/akira-hacks-sonicwall-vpn-accounts-even-those-with-mfa-protection\/\" rel=\"bookmark\">Akira hacks SonicWall VPN accounts (even those with MFA protection)<\/a>). This serves as a preliminary remark to the following sections.<\/p>\n<h2>Attacks on SonicWall SSLVPN instances<\/h2>\n<p>Security provider Huntress has been observing a campaign of successful attacks on SonicWall SSLVPN instances since October 4, 2025, which continued until October 10, 2025. This is evident from the following <a href=\"https:\/\/x.com\/HuntressLabs\/status\/1976777719515079034\" target=\"_blank\" rel=\"noopener\">tweet<\/a> dated October 11, 2025.<\/p>\n<p><a href=\"https:\/\/x.com\/HuntressLabs\/status\/1976777719515079034\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/i.postimg.cc\/dQXgpKQn\/image.png\" alt=\"Angriffe auf SonicWall SSLVPNs\" width=\"597\" height=\"607\" \/><\/a><\/p>\n<p>The attackers quickly authenticate themselves across different devices, leading Huntress to conclude that valid login credentials are being used and that the compromise is not the result of brute force attacks.<\/p>\n<ul>\n<li>As of October 10, 2025, over 100 SSLVPN accounts have been compromised.<\/li>\n<li>Sixteen organizations have been affected by these successful attacks.<\/li>\n<li>The activities began on October 4, 2025, from the IP address: 202.155.8[.]73<\/li>\n<\/ul>\n<p>Some passive accesses were observed. Other activities included scans and access to Windows accounts.<\/p>\n<h2>What administrators can do<\/h2>\n<p>In the following <a href=\"https:\/\/x.com\/HuntressLabs\/status\/1976777722920849784\" target=\"_blank\" rel=\"noopener\">tweet<\/a>, Huntress provides some advice on what administrators of SonicWall SSLVPN instances should do urgently. This includes the following measures:<\/p>\n<p><a href=\"https:\/\/x.com\/HuntressLabs\/status\/1976777722920849784\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/i.postimg.cc\/SKfJ1rWf\/image.png\" alt=\"Huntress zu SonicWall SSLVPN-Angriffen\" width=\"565\" height=\"800\" \/><\/a><\/p>\n<ul>\n<li>Block WAN\/remote access<\/li>\n<li>Disable SSLVPN, HTTP\/S, and SSH until login credentials are reset<\/li>\n<li>Reset ALL login credentials + secrets<\/li>\n<li>Revoke automation keys, DNS, and SMTP login credentials<\/li>\n<li>Enforce MFA everywhere<\/li>\n<\/ul>\n<p>And log files should be checked for suspicious activity. Huntress has published <a href=\"https:\/\/www.huntress.com\/blog\/sonicwall-sslvpn-compromise\" target=\"_blank\" rel=\"noopener\">this article<\/a> on the subject. The <a href=\"https:\/\/www.pwndefend.com\/2025\/10\/11\/secure-firewall-backups-until-they-are-not\/\" target=\"_blank\" rel=\"noopener\">article here<\/a> also picks up on the idea that the attackers were able to deduce the access data from the backups and are now exploiting it.<\/p>\n<h2>A reader feedback about a bad observation<\/h2>\n<p><strong>Addendum:<\/strong> Shortly after the article was published, a German blog reader contacted me by email and wrote: \"I would like to add one more fact to the article that causes me great unease.\" One of his customers is directly affected (to the extent of total encryption, he says). What bothers the blog reader about the gateway, i.e., the \"SonicWall backup disaster,\" is the following.<\/p>\n<p>SonicWall provides instructions on how to use cloud backup: <a href=\"https:\/\/www.sonicwall.com\/support\/knowledge-base\/how-can-i-create-cloud-backup-of-sonicwall-settings\/170825122545895\" target=\"_blank\" rel=\"noopener\">How can I create cloud backup of SonicWall settings?<\/a> The reader writes that for most of the customers the company supports, the switch was set to active. However, no active backup was ever set up (i.e., the <em>Create Backup -&gt; Cloud Backup<\/em> option was never used). The local web interface also did not show any backups for these customers.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2025\/10\/SonicWall-Backup.jpg\" alt=\"SonicWall Portal mit Cloud-Backup\" width=\"556\" height=\"247\" \/><\/p>\n<p>A look at the <em>MySonicwall<\/em> portal and the device under the <em>Cloud Backups<\/em> tab shows a different picture (see screenshot above). There you will find backups created for the various devices. The reader wrote that these entries appear with the same date for all firewalls. After that, nothing else was displayed in the list.<\/p>\n<p>For the reader and their employer, the question now arises: if no task has been set up, how were all SonicWall instances apparently instructed centrally to create a backup and upload it to the cloud? The reader concludes: There is currently a feeling that not everything has been disclosed (knowingly or unknowingly).<\/p>\n<p><strong>Similar articles:<br \/>\n<\/strong><a href=\"https:\/\/borncity.com\/win\/2025\/09\/17\/mysonicwall-cloud-backup-file-incident-configuration-backup-disclosed\/\" rel=\"bookmark\">MySonicWall Cloud Backup File Incident: Configuration backup disclosed<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2025\/09\/30\/akira-hacks-sonicwall-vpn-accounts-even-those-with-mfa-protection\/\" rel=\"bookmark\">Akira hacks SonicWall VPN accounts (even those with MFA protection)<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2025\/08\/30\/early-termination-of-support-for-sonicwall-sma100\/\" rel=\"bookmark\">Early termination of support for SonicWall SMA100<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2025\/08\/08\/warning-of-attacks-on-sonicwall-firewalls-ssl-vpns\/\" rel=\"bookmark\">Warning of attacks on SonicWall firewalls (SSL VPNs)<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2025\/10\/10\/mysonicwall-cloud-backup-file-incident-all-customers-affected\/\" rel=\"bookmark\">MySonicWall Cloud Backup File Incident: All customers affected<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Since October 4, 2025, security experts at Huntress have observed a sharp increase in compromised SonicWall SSLVPN instances. The nature of the attacks and the speed with which the attackers penetrate the systems suggest that they have valid login credentials.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[448,580,1547],"tags":[69,1544,2938],"class_list":["post-39624","post","type-post","status-publish","format-standard","hentry","category-devices","category-security","category-software","tag-security","tag-software","tag-sonicwall"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/39624","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=39624"}],"version-history":[{"count":5,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/39624\/revisions"}],"predecessor-version":[{"id":39630,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/39624\/revisions\/39630"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=39624"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=39624"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=39624"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}