SonicWall has disclosed that threat actors accessed every firewall configuration backup file stored through its MySonicWall cloud-backup service. The company originally estimated a fraction of users were affected but now says all customers who used the cloud backup function may be compromised. Administrators are being urged to act immediately by resetting all credentials and assessing impacted devices.
The cloud backup files reportedly include encoded configuration data and encrypted credentials. While SonicWall says encryption remains active, possession of the files puts customers at increased risk of targeted attacks. The company has published lists of impacted devices in the MySonicWall portal and released detailed remediation guidelines. SonicWall is working closely with Mandiant and has implemented hardening measures in its cloud infrastructure. (SonicWall KB)
All Cloud Backup Users Affected After Earlier Estimate of 5% Revised Upwards
On September 17, SonicWall alerted users that unauthorized actors had accessed backup configuration files for what it then characterized as “certain” customers. At the time, that was estimated at under 5% of the firewall install base. In an updated advisory, SonicWall said its investigation revealed that all users who ever enabled the cloud backup feature were affected.
The company now classifies devices in priority tiers in its “Issue List” section: “Active – High Priority” devices that are internet-facing, “Active – Lower Priority” devices not facing the internet, and “Inactive” units that have not reported in over 90 days. All administrators are asked to log in, verify whether any device is flagged, and immediately begin credential rotation.
The files exposed are firewall-export (“.EXP”) snapshots, which include routing rules, network configurations, VPN secrets, traffic policies, and more. SonicWall clarified that while credentials and secret keys in those backups remain AES-256 or 3DES encrypted, the configuration contexts around them—such as service names, IP layouts, access controls—may assist threat actors in planning precise attacks or vulnerability targeting.
Administrators Advised to Reset Passwords, Rotate Secrets and Harden Access
SonicWall’s published remediation playbook instructs administrators to perform “Essential Credential Reset” steps. This includes resetting passwords for all local firewall accounts, clearing TOTP (time-based one-time) authentication seeds, and updating credentials for integrated services such as LDAP, RADIUS, SNMP, site-to-site VPNs, and API keys.
Administrators are further advised to rotate any shared or common credentials tied to cloud backup users, remove stale accounts, and confirm that no unauthorized API tokens remain in play. The guidance also calls for reviewing related services that may rely on the firewall configuration (e.g. remote VPN peers, DNS forwarding, authentication gateways) to ensure they reflect updated secrets.
Because the breach stemmed from a brute-force attack on the backup service API, the company is strengthening rate limiting and access controls in MySonicWall. SonicWall says it has already deployed logging improvements, expanded anomaly detection, and added stricter authentication measures to prevent a recurrence.
Backstory: Brute Force Attack Gave Access to Sensitive Backup Files
SonicWall attributes the breach to a brute-force attack on its backup API interface, which allowed the adversary to enumerate MySonicWall accounts and access stored firewall configuration files. The attacker then downloaded those backups, according to public statements.
That technique left open a vulnerability path: once in control of valid device configuration snapshots, attackers can analyze firewall topologies, VPN endpoints, split-tunnel rules and even replicate on-prem network designs. That gives them a richer road map for planning future intrusions or lateral pivoting.
In its postmortem, SonicWall said the investigation was carried out in concert with Mandiant and its internal security team. The company originally delivered the advisory with a smaller scope, but extended disclosure upon deeper log correlation and system review.
Consequences of Exposure: Decryption, Attack Planning and Credential Reuse Risks
While the configuration files are encrypted, security analysts warn that attackers now have time to decrypt weakly secured secrets offline or to perform password guesses on high-value configurations. Even if they fail to crack passwords, the contextual metadata—like port assignments, routing maps and service names—can substantially reduce reconnaissance effort in follow-up attacks.
Network defenders must treat this breach as critical. Attackers may use the exposed data to craft tailored attacks against firewalls, exploit misconfigurations, or execute credential stuffing against administrative interfaces replicated across networks.
SonicWall said it will notify all impacted customers and partners, and to provide additional guidance over time. Administrators should monitor for unexpected configuration downloads, unknown API calls, and new firewall rules that alter traffic paths or trust zones.
Organizations should also periodically revisit backup enablement policies: making cloud backup an optional and tightly controlled feature ensures that an exposure of that path is limited in impact.
Finally, this incident highlights the need for layered security: credentials must be rotated, access to critical management services should be limited to trusted IPs, multi-factor authentication must be rigorously enforced, and logging must be centralized to correlate cross-system signs of intrusion.
