Details about the nature of the vulnerability have not been made public to prevent other threat actors from studying it and launching their own attacks.
"We've seen it used by a single threat actor earlier in the week. We were just standing the honeypot up at the time so didn't get the full request," Rich Warren, a security researcher for the NCC Group, told ZDNet.
"That led us to do some reverse engineering based on the request path, and we found the bug we believe the attacker was using."
NCC researchers said they notified SonicWall of the bug and the attacks over the weekend.
The January 23 zero-day impacted Secure Mobile Access (SMA) gateways, a type of networking device that is used inside government and enterprise networks to provide access to resources on intranets to remote employees. SonicWall listed SMA 100 Series devices as impacted by the January 23 zero-day.
A SonicWall spokesperson did not return a request for comment to confirm if NCC researchers discovered the same zero-day or a new one. The company did, however, silently update its January 23 security advisory to list the NCC finding and promise a fix until the end of the day, Feb. 2.
It listed as impacted physical and virtual SMA 100 10.x devices: SMA 200, SMA 210, SMA 400, SMA 410, SMA 500v.
Responding on Twitter to requests to share more details on the attack so security experts could protect their customers, the NCC team recommended that device owners restrict which IP addresses are allowed to access the management interface of SonicWall devices to only IPs of authorized personnel.
They also recommended enabling multi-factor authentication (MFA) support for SonicWall device accounts.
Article updated at 8am ET with comments from Warren.