In September 2025, SonicWall disclosed a data breach affecting its cloud backup service, initially indicating that fewer than 5% of its clients were impacted. However, this assessment has evolved as SonicWall, in collaboration with incident response firm Mandiant, has confirmed that attackers accessed backup configuration files for all customers utilizing the service.
The breach originated from a brute force attack targeting the MySonicWall cloud backup API, which secures encrypted configuration files for firewall settings. These files contain critical details, including network rules, credentials, and routing information necessary for either restoring or duplicating SonicWall firewalls. While passwords and encryption keys are preserved in their encrypted state, the attackers have gained access to comprehensive configuration data that may facilitate unauthorized mapping or exploitation of customer networks.
“The investigation confirmed that an unauthorized party accessed firewall configuration backup files for all customers who have used SonicWall’s cloud backup service. The files contain encrypted credentials and configuration data; while encryption remains in place, possession of these files could increase the risk of targeted attacks.”
SonicWall
SonicWall’s concluding investigation report indicates that updated lists of affected devices are accessible within the MySonicWall portal, where customers can ascertain whether their firewalls are categorized as “Active – High Priority,” “Active – Lower Priority,” or “Inactive,” based on their exposure level. This transparency allows customers to prioritize their response efforts.
To bolster security, SonicWall has implemented enhanced monitoring tools and fortified its cloud infrastructure, accompanied by thorough remediation guidelines. Business clients are urged to prioritize the review of high-priority devices with internet-facing services, utilizing the provided support tools to identify configurations that require immediate attention.
SonicWall continues to partner with Mandiant in fortifying its systems while providing support to affected users. Their recent communications stress the importance of transparency and prevention in the aftermath of this significant security incident.
According to Ryan Dewhurst, Head of Proactive Threat Intelligence at watchTowr, the breach carries serious implications due to the sensitive nature of the exposed data. He noted, “Attackers gained access to valuable information, including firewall rules and encrypted credentials. Even if passwords are encrypted, weak ones can be compromised offline, and the configuration data alone gives attackers substantial insight for planning targeted assaults.”
Dewhurst raised concerns regarding the security posture of a service handling such sensitive information, questioning why essential protective measures were absent. He emphasized that, “A brute force attack on an API should have been mitigated through rate limiting and robust access controls,” highlighting a critical area for improvement in existing security frameworks.
This incident underscores the importance of ongoing vigilance and robust cybersecurity measures, as organizations navigate an evolving threat landscape characterized by sophisticated attack techniques targeting enterprise infrastructure.
