October 9, 2025

    MySonicWall Cloud Backup Service Breach Leads to Exposed Configuration Files

    Quick Summary

    • MySonicWall cloud backup service has been breached - any configuration files stored there should be considered compromised.
    • SonicWall revealed this access was the result of a targeted brute-force attack.
    • Customers storing configuration files in the MySonicWall cloud backup service are urged to follow remediation guidelines.
    • Exposed configuration backup files contain sensitive information that could put organizations at risk.
    • No action required for organizations who are not using the MySonicWall cloud backup service and have no configuration files stored there. 

     

    What Happened

    On September 17, 2025, SonicWall released a knowledge base article detailing the exposure of firewall configuration backup files stored in certain MySonicWall accounts. The initial announcement indicated that fewer than 5% of firewalls were affected, with encrypted credentials and no known data leaks. SonicWall revealed this access was the result of a targeted brute-force attack rather than ransomware activity.

    Following this initial disclosure, SonicWall notified potentially affected customers and provided them with fresh configuration files containing randomized passwords for all local users, reset bindings where TOTP (Time-based One-Time Password) is enabled, and randomized IPSec VPN keys. According to SonicWall, "These configuration changes have been made to update these possibly exposed parameters."

    For customers who preferred not to import the SonicWall-provided preference file, guidance was made available to complete a manual "Essential Credential Reset" through their support documentation.

    An update on October 8, 2025 was provided by SonicWall, stating that they have concluded their investigation and confirmed that an unauthorized party had accessed firewall configuration backup files for all customers who have used SonicWall's cloud backup service.

     

    What That Means

    The exposed configuration backup files contain sensitive information that could put organizations at risk. These files typically include:

    • Local user credentials (usernames and passwords for firewall access)
    • VPN configurations including IPSec shared keys and authentication settings
    • Network topology information such as IP addressing schemes, subnets, and routing configurations
    • Security policies and firewall rules that define what traffic is allowed or blocked
    • SNMP community strings used for network monitoring
    • Admin access credentials for the firewall management interface
    • SSL VPN settings including authentication methods
    • Email and logging server credentials
    • Third-party service integrations and their associated credentials

    According to SonicWall, "The files contain encrypted credentials and configuration data; while encryption remains in place, possession of these files could increase the risk of targeted attacks." It's unclear exactly what portions of the configuration files are encrypted or how encryption is implemented, but possession of these configuration files significantly increases the risk of targeted attacks. Here's why:

    Offline brute-force attacks: If credentials or other sensitive data are encrypted (rather than the entire file), attackers can attempt to crack those encrypted values offline at their own pace, without triggering account lockouts or detection systems. Weak or default passwords are particularly vulnerable to this approach.

    Configuration intelligence: Even with encryption in place, these files likely contain (or could reveal once decrypted) valuable information about network architecture, security policies, enabled services, and potential vulnerabilities that can be exploited through other means.

    Targeted attack planning: Attackers can study the configurations to identify the best attack vectors, vulnerable services, and security gaps before ever touching the live systems.

    Credential stuffing opportunities: If attackers successfully crack any credentials, they can attempt to use them across multiple systems, especially if organizations reuse passwords.

     

    How to Identify and What to Do

    How to identify vulnerable devices

    It is important to note that ONLY organizations who use the MySonicWall configuration cloud backup service are affected. Those who have not used this service for configuration file backups are not impacted and no action is required.

    To determine if your organization is impacted, follow the guidance provided in SonicWall's official knowledge base article:

    1. Log in to your MySonicWall.com account and verify if cloud backups exist for your registered firewalls.
      • If cloud backups DO exist, continue reading.
      • If cloud backups DO NOT exist, no action is required.
    2. Check for impacted serial numbers: Navigate to Product Management | Issue List. Affected serial numbers will be flagged with information including:
      • Friendly Name
      • Last Download Date
      • Known Impacted Services
    3. If you have used the Cloud Backup feature but no Serial Numbers are shown: SonicWall will provide additional guidance in the coming days to determine if your backup files were impacted. Check the MySonicWall Cloud Backup File Incident page regularly for updates.

    While SonicWall has explained that only specific serial numbers have been impacted, it is highly recommended to follow their Essential Credential Reset and Remediation playbooks if your organization has any configuration files stored in the MySonicWall configuration cloud backup service.

     

    What to do

    If Serial Numbers are shown: The listed firewalls are at risk and should immediately follow the containment and remediation guidelines outlined in SonicWall's Essential Credential Reset documentation.

    Prioritization tip: Focus on "Active – High Priority" units first, followed by "Active – Lower Priority" units second.

    Important note: The "Impacted Services" field should be used for general guidance only. While the listed services were identified as being enabled at the time of backup, you should review ALL SERVICES WITH CREDENTIALS THAT WERE ENABLED AT OR BEFORE THE TIME OF BACKUP for each serial number listed.

    Technical containment and mitigation documentation can be found at:

    Use the SonicWall Online Firewall Configuration Analysis Tool to identify services that require remediation and follow the on-screen instructions to proceed. Note that UPE Mode is not supported by this tool.

     

    Who's Impacted

    This incident affects anyone who uses the MySonicWall.com cloud backup service to back up firewall configurations. Based on SonicWall's October 8th update, any customers storing firewall configuration files using this feature have had their configuration files accessed by unauthorized parties.

    When Will SonicWall Fix It

    Unlike a traditional vulnerability requiring a software patch, this incident involves a compromise of SonicWall's cloud backup service infrastructure. There is no firmware update or patch to apply to your firewalls to "fix" this issue.

    Instead, remediation focuses on rotating all potentially exposed credentials and security parameters for affected customers. SonicWall has provided comprehensive guidance through the following resources:

    Organizations must take action to reset credentials and reconfigure security parameters on their affected firewalls. This is not a "wait for a patch" situation—immediate action is required to mitigate the risk of targeted attacks using the exposed configuration data.

    Jake Ouellette

    Jake is an Incident Detection Engineer at Blumira, where he contributes to research and design efforts to continuously improve the detection, analysis, and disruption capabilities of the Blumira platform.

    More from the blog

    View All Posts