SonicWall suffered a cyberattack where threat actors brute-forced their **MySonicWall** cloud backup service, exposing firewall configuration files of **all customers** using the feature. The leaked files included sensitive data such as **network rules, VPN configurations, admin credentials (LDAP, RADIUS, SNMP), and stored passwords**, increasing the risk of **targeted network intrusions**. Initially downplaying the impact (claiming <5% of customers were affected), SonicWall later acknowledged the breach was far broader, potentially compromising **hundreds of thousands of global customers**. While encryption remained intact, attackers could decrypt or exploit the exposed configurations to **bypass defenses, launch insider-like attacks, or steal service credentials**. SonicWall urged customers to **delete cloud backups, rotate secrets, and recreate configurations locally** to mitigate risks. The breach did not affect other MySonicWall services or devices but posed severe operational and security threats to affected organizations.
TPRM report: https://www.rankiteo.com/company/sonicwall
"id": "son2892228101025",
"linkid": "sonicwall",
"type": "Breach",
"date": "10/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'All customers using MySonicWall '
'cloud backup feature (initially '
'claimed <5%, later revealed to '
'be all users of the feature)',
'industry': 'Network Security',
'location': 'Global',
'name': 'SonicWall',
'size': '~500,000 customers (not all using '
'firewall/cloud backup services)',
'type': 'Cybersecurity Company'}],
'attack_vector': ['Brute Force Attack'],
'customer_advisories': ['Delete existing cloud backups, change credentials, '
'rotate shared secrets, and recreate configurations '
'locally.'],
'data_breach': {'data_encryption': ['Files were encrypted but possession '
'increases risk of '
'decryption/brute-forcing'],
'data_exfiltration': True,
'file_types_exposed': ['Firewall Configuration Files'],
'personally_identifiable_information': ['Potentially (if '
'admin credentials '
'included PII)'],
'sensitivity_of_data': ['High (Includes credentials and '
'network topology details)'],
'type_of_data_compromised': ['Firewall Configuration Files',
'Network Rules',
'Access Policies',
'VPN Configurations',
'Service Credentials (LDAP, '
'RADIUS, SNMP)',
'Admin Usernames and Passwords '
'(if stored in config)']},
'date_detected': '2025-09-15',
'date_publicly_disclosed': '2025-09-15',
'description': 'Attackers brute-forced SonicWall’s MySonicWall cloud service, '
'exposing firewall configuration files of global customers. '
'The files included network rules, access policies, VPN '
'configurations, and service credentials (LDAP, RADIUS, SNMP), '
'as well as admin usernames and passwords if stored in the '
'config. SonicWall initially underestimated the scale, later '
'revealing that all customers using the MySonicWall cloud '
'backup feature were affected. The company urged users to '
'delete backups, rotate secrets, and recreate configurations '
'locally to mitigate risks of credential leaks and targeted '
'network intrusions.',
'impact': {'brand_reputation_impact': ['Potential Loss of Trust Due to '
'Underestimation of Incident Scale and '
'Exposure of Sensitive Configuration '
'Data'],
'data_compromised': ['Firewall Configuration Files (Network Rules, '
'Access Policies, VPN Configurations)',
'Service Credentials (LDAP, RADIUS, SNMP)',
'Admin Usernames and Passwords (if stored in '
'config)'],
'identity_theft_risk': ['High (Due to Potential Exposure of Admin '
'Credentials and Service Secrets)'],
'operational_impact': ['Increased Risk of Targeted Attacks Due to '
'Exposed Configuration Details',
'Need for Customers to Delete Backups, '
'Rotate Secrets, and Recreate '
'Configurations Locally'],
'systems_affected': ['MySonicWall Cloud Backup Service']},
'initial_access_broker': {'entry_point': ['MySonicWall Cloud Service (via '
'brute-force attack)'],
'high_value_targets': ['Firewall configuration '
'files containing network '
'topology, credentials, and '
'access policies']},
'investigation_status': 'Ongoing (Customers urged to take remediation '
'actions)',
'lessons_learned': ['Underestimation of incident scale can erode trust; '
'transparency is critical. Weak authentication mechanisms '
'in cloud services pose significant risks. Firewall '
'configuration files are high-value targets for threat '
'actors seeking insider knowledge for targeted attacks.'],
'motivation': ['Credential Theft',
'Targeted Network Intrusions',
'Insider Knowledge for Future Attacks'],
'post_incident_analysis': {'corrective_actions': ['Enhanced authentication '
'for cloud services.',
'Improved incident '
'communication protocols.',
'Development of tools for '
'customer remediation.'],
'root_causes': ['Weak authentication mechanisms in '
'MySonicWall cloud service, '
'enabling brute-force attacks.',
"Underestimation of the incident's "
'scope during initial '
'disclosure.']},
'recommendations': ['Implement multi-factor authentication (MFA) for cloud '
'services, especially those storing sensitive '
'configurations.',
'Regularly audit and rotate credentials and secrets '
'stored in firewall configurations.',
'Avoid storing plaintext or weakly encrypted credentials '
'in configuration backups.',
'Monitor for unusual access patterns or brute-force '
'attempts on cloud services.',
'Conduct third-party security assessments for cloud '
'backup solutions.',
'Educate customers on secure backup practices, including '
'local storage of sensitive configurations.'],
'references': [{'source': 'The Register'},
{'source': 'TechRadar Pro',
'url': 'https://www.techradar.com'}],
'response': {'communication_strategy': ['Public notification via advisory',
'Direct notification to impacted '
'partners and customers'],
'containment_measures': ['Urged customers to delete existing '
'cloud backups',
'Encouraged credential rotation and '
'secret rotation',
'Recommended recreating backups '
'locally'],
'incident_response_plan_activated': True,
'remediation_measures': ['Released tools to assist with device '
'assessment and remediation']},
'stakeholder_advisories': ['SonicWall notified all impacted partners and '
'customers with remediation guidance.'],
'threat_actor': ['Unnamed Threat Actors'],
'title': 'SonicWall Cloud Backup Breach Exposes Firewall Configuration Files',
'type': ['Data Breach', 'Unauthorized Access', 'Credential Theft'],
'vulnerability_exploited': ['Weak Authentication Mechanisms in MySonicWall '
'Cloud Service']}