SonicWall experienced a security breach in September where state-sponsored hackers gained unauthorized access to a specific cloud environment via an API call, exposing firewall configuration backup files stored in **MySonicWall** accounts. While the breach was isolated and did not compromise SonicWall’s products, firmware, source code, or customer networks, the exposed files contained sensitive credentials (e.g., access tokens, LDAP/RADIUS/TACACS+ passwords, VPN shared secrets, and WAN interface passwords). This information could have significantly eased follow-on attacks against customers' firewalls by allowing threat actors to exploit misconfigured or weakly secured systems. SonicWall promptly advised affected users to reset all related credentials and secrets. The incident was later confirmed to be unrelated to concurrent Akira ransomware attacks or the separate wave of SSLVPN credential-stuffing attacks reported by Huntress in October. Mandiant’s investigation concluded that the breach was contained, with no evidence of lateral movement or broader system disruption.
TPRM report: https://www.rankiteo.com/company/sonicwall
"id": "son0592205110525",
"linkid": "sonicwall",
"type": "Breach",
"date": "9/2025",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': 'All customers using SonicWall’s '
'cloud backup service for '
'firewall configuration files',
'industry': 'Cybersecurity',
'location': 'United States',
'name': 'SonicWall',
'type': 'Network Security Vendor'}],
'attack_vector': ['API Exploitation', 'Cloud Storage Compromise'],
'customer_advisories': 'Immediate credential rotation recommended for all '
'potentially exposed secrets.',
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['Configuration backup files'],
'sensitivity_of_data': 'High (credentials for firewalls, '
'VPNs, and authentication servers)',
'type_of_data_compromised': ['Firewall configuration files',
'Authentication credentials',
'Encryption tokens']},
'date_detected': '2023-09-17',
'date_publicly_disclosed': '2023-09-17',
'description': "SonicWall's investigation into the September 2023 security "
'breach confirmed that state-sponsored hackers accessed '
"customers' firewall configuration backup files stored in a "
'specific cloud environment via an unauthorized API call. The '
'exposed files contained sensitive credentials and tokens, '
'potentially facilitating further exploitation of customer '
'firewalls. The breach was isolated and did not impact '
"SonicWall's products, firmware, systems, tools, source code, "
'or customer networks. Customers were advised to reset '
'multiple credentials, including MySonicWall account '
'passwords, LDAP/RADIUS/TACACS+ server passwords, and '
'VPN-related secrets. The incident was unrelated to concurrent '
'Akira ransomware attacks targeting SonicWall VPN accounts.',
'impact': {'brand_reputation_impact': 'Potential reputational risk due to '
'exposure of sensitive customer '
'credentials',
'data_compromised': ['Firewall configuration backup files',
'Access credentials',
'Tokens',
'LDAP/RADIUS/TACACS+ passwords',
'VPN shared secrets'],
'identity_theft_risk': 'High (exposed credentials could facilitate '
'further attacks)',
'operational_impact': 'None (isolated to backup files; no '
'disruption to products or networks)',
'systems_affected': ['MySonicWall cloud backup service']},
'initial_access_broker': {'entry_point': 'Unauthorized API call to cloud '
'backup environment',
'high_value_targets': ['Firewall configuration '
'files',
'Authentication '
'credentials']},
'investigation_status': 'Completed (by Mandiant)',
'lessons_learned': 'Isolation of cloud environments and API security are '
'critical to preventing lateral movement. Proactive '
'credential rotation advisories can mitigate downstream '
'risks from exposed configuration files.',
'motivation': ['Espionage', 'Credential Harvesting'],
'post_incident_analysis': {'corrective_actions': ['API security enhancements',
'Customer credential reset '
'advisory'],
'root_causes': ['Insufficient API access controls',
'Lack of segmentation in cloud '
'backup environment']},
'recommendations': ['Enhance API security controls for cloud services storing '
'sensitive data.',
'Implement multi-factor authentication (MFA) for cloud '
'backup access.',
'Regularly audit and rotate credentials stored in '
'configuration files.',
'Segment cloud environments to limit blast radius of '
'breaches.',
'Monitor for unauthorized API calls and anomalous access '
'patterns.'],
'references': [{'source': 'SonicWall Official Statement (September 17, 2023)'},
{'source': 'SonicWall Update (October 9, 2023)'},
{'source': 'Huntress Report on SonicWall SSLVPN Attacks '
'(October 13, 2023)'}],
'response': {'communication_strategy': ['Public disclosure (2023-09-17)',
'Update on investigation completion '
'(2023-10-09)',
'Assurance of product safety'],
'containment_measures': ['Isolation of compromised cloud '
'environment',
'API access restrictions'],
'incident_response_plan_activated': True,
'remediation_measures': ['Customer advisory to reset credentials '
'(MySonicWall accounts, '
'LDAP/RADIUS/TACACS+, VPN secrets)'],
'third_party_assistance': ['Mandiant (incident response '
'investigation)']},
'stakeholder_advisories': 'Customers advised to reset credentials for '
'MySonicWall accounts, LDAP/RADIUS/TACACS+ servers, '
'and VPN interfaces.',
'threat_actor': 'State-sponsored threat actor',
'title': 'SonicWall Security Breach Exposing Firewall Configuration Backup '
'Files',
'type': ['Data Breach', 'Unauthorized Access'],
'vulnerability_exploited': 'Unauthorized API access to cloud backup files'}