SonicWall Breach: Firewall Backup Files Exposed

SonicWall: Understanding the Recent Cloud Backup Security Incident

===================================================================

SonicWall, a leading provider of firewall security solutions, recently faced a significant security incident. Their Sonic Firewalls feature a cloud backup option that allows customers to store preference files. These files contain configurations, encrypted credentials, and other essential information. Unfortunately, unknown attackers compromised this cloud-based storage, gaining access to a small portion of customer preference files. SonicWall confirmed that less than 5% of all customer files were affected. The company made an official disclosure about this incident on 17 September 2025.

How It Happened?

SonicWall’s security teams detected suspicious activity targeting the cloud backup service for firewalls in the days leading up to the incident. Investigations revealed that attackers conducted brute force attacks, allowing them to access customer preference files stored in the cloud. Currently, the identity of the attackers remains unknown.

On 17 September, SonicWall officially disclosed the incident and communicated with customers and partners via email. They stated that they are not aware of these files being leaked online by threat actors. Additionally, SonicWall confirmed that this incident was not a ransomware attack.

What is the Impact?

The exposed backup files contained encrypted credentials and configuration details. These details could potentially enable attackers to exploit firewalls. Although there is no current evidence of the files being leaked or misused, the data could grant unauthorized access to services running on affected devices.

What Are the Preventive Measures?

SonicWall has released preventive measures in their Knowledge Base (KB) articles on their website. Here are the recommended steps:

• Verify Cloud Backups: Log in to MySonicWall.com to check if cloud backups are enabled.

• Check Affected Serial Numbers: Ensure that any affected serial numbers are flagged in your accounts.

• Initiate Containment and Remediation: Limit access to services from WAN. Turn off access to HTTP/HTTPS/SSH Management. Disable access to SSL VPN and IPSec VPN. Reset passwords and Time-Based One-Time Passwords (TOTPs) saved on the firewall. Review logs and recent configuration changes for unusual activity.

• Use SonicWall's Online Tool: SonicWall has released an online tool that analyzes firewall configuration files and provides targeted remediation guidance. This tool streamlines the process by automatically identifying which services require action, eliminating the need for administrators to follow lengthy conditional checklists.

  
  

Importance of Cybersecurity

In today's digital landscape, cybersecurity is crucial for businesses of all sizes. The recent incident involving SonicWall highlights the importance of securing digital assets and navigating complex compliance requirements. As a trusted leader in cybersecurity, Crystalline aims to help businesses protect their information and develop tailored security strategies.

Conclusion

The SonicWall incident serves as a reminder of the vulnerabilities that exist in cloud-based services. It emphasizes the need for businesses to remain vigilant and proactive in their cybersecurity efforts. By following the recommended preventive measures, organizations can better protect themselves against potential threats.

Sources

• SonicWall Cloud Backup Incident

• Essential Credential Reset

• Dark Reading on SonicWall Breach

• The Hacker News on SonicWall Security

• CISA Advisory on SonicWall Incident

• SonicWall Firewall Config Analysis Tool

• YouTube Video on SonicWall Incident