SonicWall reported a breach where attackers stole firewall configuration files from its cloud backup service, attributed to an unnamed nation-state actor. While the company claims there was no impact on its products or customer data, it remains unclear how the attackers exploited an API to conduct the breach.

Fintech firm Marquis is seeking compensation from SonicWall after a breach at the firewall provider exposed critical data, enabling hackers to steal customer information during a ransomware attack. Marquis confirmed that it stored a backup of its firewall configuration in SonicWall's cloud, linking the two incidents. SonicWall has requested evidence to support Marquis' claims.

A surge in Akira ransomware attacks targeting SonicWall SSL VPN connections has been observed since mid-July 2025, primarily exploiting unpatched versions of SonicOS. Attackers gain unauthorized access, often bypassing Multi-Factor Authentication (MFA), and can quickly escalate to data encryption and exfiltration within hours. SonicWall has issued patches for a critical zero-day vulnerability, but many devices remain vulnerable as of 2025.

Ongoing Akira ransomware attacks are successfully breaching SonicWall SSL VPN accounts even with one-time password (OTP) multi-factor authentication enabled. This exploitation is linked to previously stolen OTP seeds and an improper access control vulnerability (CVE-2024-40766), prompting SonicWall to recommend that administrators reset VPN credentials and ensure devices are running the latest firmware.

SonicWall has issued a warning regarding a critical vulnerability (CVE-2025-40599) in its SMA 100 series VPN appliances, allowing authenticated users to upload arbitrary files, potentially leading to remote code execution. Despite no evidence of active exploitation, the company advises users to patch their devices and monitor for signs of compromise due to ongoing attacks targeting the appliances. Recommendations include enhancing security measures such as enforcing multi-factor authentication and limiting remote management access.

Hackers are compromising end-of-life SonicWall Secure Mobile Access appliances, exploiting leaked administrator credentials and potentially using a custom backdoor malware called Overstep. Google’s Threat Intelligence Group urges organizations to analyze their devices for signs of compromise, as many details about the attacks and vulnerabilities remain unclear.

SonicWall has revealed that a breach of its cloud backup service impacted 100% of firewall configuration files for all affected customers, a significant increase from the previously estimated 5%. The company is working with Mandiant to enhance security measures and has advised customers on necessary remediation steps.