Guillermo Sánchez
Ethan Grammer / January 15, 2026 / 4 minutes of readingRecent Breaches/Incidents
1. Pharmaceutical Firm Inotiv Confirms Ransomware Attack and Data Breach
Description:
Inotiv, a major U.S. pharmaceutical research and contract drug-development company based in Indiana, disclosed that it was the victim of a ransomware attack in August 2025, resulting in a significant data breach and operational disruption.
According to regulatory filings and company notices, a threat actor gained unauthorized access to Inotiv’s systems between August 5 and August 8, 2025. During this period, ransomware was deployed, disrupting business operations and encrypting critical systems, including internal databases and applications. The incident forced parts of the company’s network offline as teams worked to contain the breach and restore availability.
Inotiv has since begun notifying affected individuals. As many as 9,542 people — including current and former employees, their family members, and others who have interacted with the company — are being informed that their personal information may have been stolen. While Inotiv has not publicly detailed which specific data elements were compromised, external reporting indicates the stolen data may include a mix of personal identifiers and sensitive information.
The ransomware operation is believed to be linked to the Qilin ransomware group, which claimed responsibility and posted samples of allegedly stolen data — more than 162,000 files totaling approximately 176 GB — on a dark web leak site. Inotiv has not confirmed the accuracy of these claims or whether a ransom payment was made.
In its disclosure, Inotiv stated it has restored access to impacted systems and continues to investigate the incident. The full operational and financial impact remains under assessment, and the company is completing required legal notifications and offering support services such as credit monitoring to affected individuals.
Advisories/ Vulnerabilities/Alerts
1. Critical SonicOS SSLVPN Vulnerability Could Crash Firewalls
Source Advisory URL: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0016/
Description:
SonicWall has disclosed a high-severity vulnerability affecting the SSLVPN service in SonicOS, the operating system that runs on many of its Gen7 and Gen8 firewalls. Tracked as CVE-2025-40601, this flaw stems from a stack-based buffer overflow and could allow a remote, unauthenticated attacker to disrupt firewall availability by crashing the device.
The vulnerability can be triggered without any authentication, meaning an attacker does not need to log in to exploit it. By sending specially crafted traffic to the SSLVPN interface, the attacker can cause a Denial-of-Service (DoS) condition, potentially crashing the firewall and interrupting VPN connectivity or security enforcement.
This vulnerability only impacts the SonicOS SSLVPN interface or service if it is enabled on the firewall.
The issue affects both hardware and virtual SonicWall firewalls running certain versions of SonicOS where the SSLVPN service is enabled. Impacted systems include:
- Gen7 hardware and virtual firewalls (e.g., TZ270–TZ670, NSa and NSsp series)
- Gen8 hardware firewalls (e.g., TZ80–TZ680, NSa series)
Recommended Actions:
SonicWall has released patches that address CVE-2025-40601:
- Gen7 devices: Fixed in 7.3.1-7013 and later releases
- Gen8 devices: Fixed in 8.0.3-8011 and later releases
Administrators are strongly advised to update to these versions as soon as possible. If immediate patching is not feasible, a temporary mitigation includes restricting SSLVPN access to trusted source IP addresses or disabling the SSLVPN service for untrusted external connections until the update can be applied.
2. Surge in VPN Login Attempts Targeting Palo Alto GlobalProtect Portals
Source Advisory URL: https://www.bleepingcomputer.com/news/security/new-wave-of-vpn-login-attempts-targets-palo-alto-globalprotect-portals/
Description:
A new wave of malicious activity has been observed targeting Palo Alto Networks’ GlobalProtect VPN portals, raising concerns for organizations that rely on these systems for secure remote access. Beginning on December 2, 2025, threat actors launched extensive login attempts against exposed GlobalProtect portals.
According to threat intelligence from GreyNoise, the campaign originated from over 7,000 IP addresses associated with a German hosting provider, 3xK GmbH (AS200373). These IPs generated millions of HTTP sessions directed at GlobalProtect login interfaces, suggesting coordinated efforts to identify weak or exposed authentication surfaces.
GlobalProtect serves as a critical VPN and remote access solution for many enterprises, government agencies, and service providers. The observed activity includes brute-force and credential-stuffing attempts aimed at portal logins, potentially seeking additional vulnerabilities or misconfigurations.
In response to these widespread login attempts, Palo Alto Networks clarified that this activity reflects credential-based attacks rather than exploitation of a specific PAN-OS vulnerability. Internal telemetry and security platforms, including Cortex XSIAM, continue to monitor and defend against such activity, with no evidence so far of successful compromises.
Recommended Actions:
Administrators responsible for remote access infrastructure should review access controls, enforce multi-factor authentication, and ensure exposed VPN endpoints are protected with appropriate security policies. As remote connectivity remains vital for distributed workforces, vigilance against opportunistic scanning and credential abuse remains a priority.