Cybersecurity vendor SonicWall has officially attributed a breach of its cloud-backup service to a state-sponsored threat actor. The incident, disclosed in September 2025, involved unauthorized access to firewall configuration backup files stored in the MySonicWall.com platform.
How the Breach Unfolded and What Was Compromised
On September 17, 2025, SonicWall announced that an unauthorized party had accessed backup files for customers using its cloud-based configuration backup service on MySonicWall. By early October, the company confirmed the scope: all customers using the cloud backup platform had their configuration files exposed.
These files contained encrypted credentials and configuration data for firewalls, including VPN credentials, administrative user configurations, and network-access secrets. While the files were encrypted, SonicWall warned that attackers could use the data to understand network topology and target devices more effectively.
An official investigation conducted with incident-response firm Mandiant confirmed the involvement of a state-sponsored threat actor and that the breach was isolated to a specific cloud environment accessed via an API call. SonicWall stressed that its products, firmware, source code, tools, and customer networks were not compromised in the incident.
Technical Tradecraft and Risk Implications for Customers
The attackers reportedly exploited the MySonicWall cloud-backup service by using an API call to exfiltrate files. Because the breach targeted backup data rather than live firewall firmware or software, it may have gone unnoticed by traditional monitoring tools.
Although the credentials inside those backups remained encrypted (often using 3DES), the surrounding configuration metadata, network models, and VPN templates offered attackers a richer surface for planning follow-on attacks. SonicWall urged customers to check their MySonicWall account for the presence of backups and reset credentials for all firewall services, including VPN, LDAP/RADIUS, site-to-site IPsec, and shared secrets.
Cybersecurity analysts warn that even encryption does not fully mitigate exposure when backups include configuration logic and network topology. Attackers with this articulation can map an organization’s remote-access channels and pivot infrastructures for targeted campaigns.
Strategic and Organizational Response at SonicWall
In light of the incident, SonicWall’s leadership announced a series of governance and security reforms, focusing on “secure-by-design” development practices, hardened cloud infrastructure, and improved transparency with customers. Despite early statements estimating less than 5% of customers were impacted, the evolving disclosure that all cloud backup users were exposed has raised concerns about internal risk assessment and incident disclosure practices.
What Affected Organisations Should Do Right Now
- Immediately audit firewall configuration backups and remove or rotate credentials stored within.
- Check for unauthorized backup entries in MySonicWall accounts and delete cloud-stored backups; maintain offline encrypted backups for system recovery.
- Reset all credentials tied to firewall admin, VPN user accounts, RADIUS/LDAP, IPsec shared secrets, and disable default WAN management access.
- Implement network segmentation and zero-trust models on perimeter devices; reduce reliance on cloud backup as the sole recovery mechanism.
- Monitor firewall logs and anomaly-detection systems for unexpected VPN or site-to-site tunneling activity, especially if using SonicWall appliances.
Why This Matter Extends Beyond SonicWall Customers
The incident underscores a growing trend of nation-state actors targeting security-infrastructure providers — not only for direct espionage, but to use them as stepping-stones into enterprise networks. By compromising a vendor’s backup service, attackers obtain strategic topography that aids lateral moves across many organisations.
For enterprises using edge-security appliances, the lesson is clear: your vendor’s compromise can become your compromise. Even when primary devices remain unaffected, exposed backup configurations offer adversaries a playbook for intrusion.
