Introduction
On September 16, 2025, SonicWall announced a breach impacting its MySonicWall cloud service. Threat actors managed to access cloud-based firewall configuration backups for a subset of SonicWall customers, raising serious concerns for organizations relying on the platform for perimeter security and device management.
What Happened?
SonicWall detected unauthorized access to firewall backup files stored in selected MySonicWall accounts. These backups potentially contained sensitive configuration data—including credentials, authentication tokens, and encrypted passwords—which could give attackers an opportunity to escalate privileges or attack connected services.
While the breach affected less than 5% of all SonicWall firewalls, the exposed data presents significant risk for targeted exploitation. SonicWall clarified that no ransomware was involved; instead, attackers used brute-force techniques targeting API services associated with cloud backup preferences to gain access.
What Was Exposed?
- Firewall configuration backup files containing account credentials, API tokens, encrypted passwords, and sensitive service details.
- These files could potentially be used for privilege escalation, network compromise, or further attacks against connected ISP, DDNS, VPN, or directory servers.
Who Was Impacted?
- Fewer than 5% of the total SonicWall firewalls globally stored backup configurations that were accessible by the threat actors.
- SonicWall has not found evidence of widespread data leaks or ransomware infection directly linked to this breach, but all customers are advised to take action.
Recommended Actions
SonicWall urges all affected users and organizations to:
- Immediately disable WAN access for any affected devices before resetting credentials.
- Reset all passwords, authentication tokens, API keys, and secrets for firewall users, VPN peers, and integrated third-party services (ISPs, DDNS, email, directory servers).
- Remove unused user accounts and update firmware to the latest patched versions.
- Review backup file contents to determine additional risks or exposed assets.
Expert Checklist for Cyber Defenders
- Inventory all devices linked to MySonicWall backup services.
- Use the SonicWall-published checklist to ensure thorough credential propagation—don’t overlook secondary service integrations or shared secrets.
- Monitor for privilege escalation or suspicious activity in network and service logs.
- Share incident details and updated threat intelligence with IT and security teams for coordinated response.
Industry Context: Ransomware and Zero-Day Exploitation
The breach followed a period of increased attack activity against SonicWall firewalls, notably ransomware campaigns and zero-day exploits against SSLVPN vulnerabilities (such as CVE-2024-40766). While these campaigns were not directly linked to the MySonicWall incident, their timing highlights the critical need for proactive device management and rapid vulnerability patching.
Conclusion
The SonicWall breach underscores the critical importance of cloud service hygiene, regular credential updates, and transparent incident response. Organizations leveraging MySonicWall should act immediately to reset credentials and update device security, helping shield networks from further exploitation. Stay tuned for more updates and ongoing analysis as the situation develops.
