SonicWall detected a security incident where threat actors accessed encrypted backup firewall preference files stored in the MySonicWall cloud service for fewer than 5% of its firewall install base. Although no files were leaked online, the exposed data included encrypted credentials and configuration details that could facilitate further exploitation of affected firewalls. The breach resulted from brute-force attacks targeting the cloud backup service, not ransomware. SonicWall locked out the attackers, notified authorities, and urged impacted customers to reset credentials, reconfigure VPN pre-shared keys, and update TOTP bindings to mitigate risks. The remediation process requires importing new preference files, which disrupts VPNs and user access, necessitating manual reconfiguration. The company emphasized no evidence of data leaks but warned of potential follow-on attacks if exposed configurations were misused.
TPRM report: https://www.rankiteo.com/company/sonicwall
"id": "son1091810100325",
"linkid": "sonicwall",
"type": "Breach",
"date": "9/2025",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'Fewer than 5% of SonicWall '
'firewall install base',
'industry': 'Cybersecurity',
'location': 'Global (HQ in Milpitas, California, USA)',
'name': 'SonicWall',
'type': 'Private Company'}],
'attack_vector': ['Brute Force Attack', 'Cloud Storage Exploitation'],
'customer_advisories': ['Reset credentials immediately if cloud backups are '
'enabled',
'Import new preference files (with awareness of '
'VPN/TOTP disruptions)',
'Reconfigure VPN pre-shared keys and TOTP post-import',
'Follow manual remediation guidance if unable to '
'import new files'],
'data_breach': {'data_encryption': 'Partially (credentials were encrypted, '
'but other configuration details were '
'exposed)',
'file_types_exposed': ['Firewall backup preference files'],
'sensitivity_of_data': 'Medium (encrypted credentials but '
'potential for exploitation)',
'type_of_data_compromised': ['Firewall preference files '
'(configuration details and '
'encrypted credentials)']},
'date_detected': '2025-09-18T00:00:00Z',
'date_publicly_disclosed': '2025-09-18T00:00:00Z',
'description': 'SonicWall detected suspicious activity targeting its cloud '
'backup service for firewalls, confirming a security incident '
'where threat actors accessed backup firewall preference files '
'for fewer than 5% of its firewall install base. While '
'credentials in the files were encrypted, the exposed '
'information could facilitate potential exploitation of '
'related firewalls. No files were leaked, but SonicWall urged '
'customers to reset credentials and import new preference '
'files to mitigate risks. The incident was not '
'ransomware-related but involved brute force attacks aimed at '
'accessing preference files for potential future misuse.',
'impact': {'brand_reputation_impact': 'Moderate (urgent advisory issued, but '
'no data leakage confirmed)',
'data_compromised': ['Firewall preference files (encrypted '
'credentials and configuration details)'],
'downtime': 'Potential downtime during remediation (VPN '
'reconfiguration, TOTP reset, and firewall reboot)',
'identity_theft_risk': 'Low (credentials were encrypted, but '
'exposure increases risk)',
'operational_impact': ['Disruption of IPSec VPNs',
'TOTP bindings reset',
'User access reconfiguration',
'Maintenance window requirements for '
'remediation'],
'systems_affected': ['SonicWall Firewalls with MySonicWall cloud '
'backups enabled']},
'initial_access_broker': {'entry_point': 'MySonicWall cloud backup service',
'high_value_targets': ['Firewall preference files']},
'investigation_status': 'Ongoing (collaboration with cybersecurity experts '
'and law enforcement)',
'motivation': ['Data Theft', 'Potential Future Exploitation'],
'post_incident_analysis': {'root_causes': ['Brute force attacks on '
'MySonicWall cloud backups',
'Insufficient protection for '
'stored preference files']},
'recommendations': ['Enable multi-factor authentication (MFA) for MySonicWall '
'accounts',
'Regularly audit cloud backup configurations',
'Monitor for suspicious activity in firewall preference '
'files',
'Conduct periodic credential rotation for firewall '
'administrators',
'Schedule remediation during low-activity periods to '
'minimize downtime'],
'references': [{'date_accessed': '2025-09-18',
'source': 'SecurityAffairs',
'url': 'https://securityaffairs.com/'}],
'regulatory_compliance': {'regulatory_notifications': ['Law enforcement '
'notified']},
'response': {'communication_strategy': ['Public advisory issued (2025-09-18)',
'Customers notified via MySonicWall '
'accounts (flagged serial numbers for '
'affected devices)',
'Detailed remediation steps provided'],
'containment_measures': ["Blocked attackers' access to "
'MySonicWall backups'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'recovery_measures': ['Guidance provided for manual remediation '
'if new preference files cannot be '
'imported'],
'remediation_measures': ['Customers urged to reset credentials',
'Import new preference files (disrupts '
'VPNs, TOTP, and user access)',
'Manual credential reset for customers '
'unable to import new files',
'Reconfiguration of VPN pre-shared '
'keys'],
'third_party_assistance': ['Cybersecurity experts']},
'stakeholder_advisories': ['Customers advised to check MySonicWall accounts '
'for flagged serial numbers and follow remediation '
'steps'],
'title': 'SonicWall MySonicWall Backup Exposure Incident',
'type': ['Data Exposure', 'Unauthorized Access'],
'vulnerability_exploited': 'Exposed backup firewall preference files in '
'MySonicWall cloud service'}