In early October 2025, SonicWall confirmed a major security incident that now stands as one of the most significant configuration leaks in recent memory. An unauthorized party accessed firewall configuration backup files for every SonicWall customer using its MySonicWall cloud backup service, triggering an urgent response across the security community.
What Was Breached?
The breach involved the theft of configuration files stored in SonicWall’s cloud service. These backups include not just device settings but also encrypted credentials, network rules, VPN settings, private keys, and administrator details. While the credentials and secrets are protected by strong encryption (AES-256), the sheer possession of this data by threat actors creates serious risk, especially where password reuse or weak secrets are involved. SonicWall’s forensic analysis, performed with Mandiant, confirmed the exposure affects 100% of cloud backup customers—making it a global event with potentially wide-reaching consequences.
How Are Attackers Exploiting the Leak?
From October 4th onward, security researchers at Huntress and others began observing a surge in SonicWall SSLVPN compromises. Over 100 accounts across 16 separate customer environments were breached using what appear to be valid credentials, rather than brute-force attacks. Malicious traffic was traced to a single IP (202.155.8[.]73), with attackers rapidly authenticating, scanning networks, and attempting lateral movement. Current evidence links some of these exploit attempts to the Akira ransomware group, who are leveraging both existing credentials and known SSLVPN vulnerabilities to accelerate intrusions.
Guidance for Affected SonicWall Customers
SonicWall and leading security vendors recommend immediate action:
- Log into the MySonicWall portal and review the Product Management → Issue List dashboard for impacted devices.
- Reset all credentials and private keys stored in the compromised backup files (VPN, LDAP, admin accounts, site-to-site VPN secrets).
- Rotate passwords on connected authentication servers (LDAP, RADIUS, TACACS+).
- Update secrets in all IPSec and GroupVPN policies.
- Restrict or disable WAN and remote management temporarily.
- Enable strong multi-factor authentication on all administrative and remote access accounts.
- Reintroduce remote management only after thorough monitoring for additional suspicious activity.
- Revoke external API keys and automation secrets related to firewalls and network management.
The Bigger Picture: Why This Incident Matters
This breach hands threat actors a detailed blueprint of enterprise networks and authentication mechanisms. Even though credentials are encrypted, sophisticated attackers could use ancillary data or try password reuse to break into other systems. Most critically, with attacker interest already surging in SonicWall SSLVPN endpoints, there’s mounting risk of targeted ransomware attacks and deeper exploit campaigns leveraging exposed data.
What’s Next?
SonicWall has enacted new security hardening measures and continues to work with Mandiant to further bolster its infrastructure and monitoring capabilities. Users are urged not to delay remediation: rotating all credentials, monitoring network traffic, and reviewing SonicWall advisories should be a top priority.
The SonicWall cloud backup breach is a stark reminder that configuration and credential management are as vital to your organization’s resilience as patching software vulnerabilities. For those affected—or connected to affected parties—the time to act is now.
