SonicWall Cloud Backup Breach-Follow up
- Ranjith Manne
- Feb 16
- 1 min read
Latest Update and Final Investigation Results
Since SonicWall’s initial disclosure on September 17, 2025, which stated that their cloud-based firewall backup service had been compromised affecting less than 5% of its customers further investigation has revealed more serious implications.
According to the latest reports from an investigation conducted by SonicWall in collaboration with Mandiant, a well-known cybersecurity incident response firm, it has been confirmed that an unauthorized party accessed firewall configuration backup files for 100% of customers using the cloud backup feature, impacting all users, not just a few as previously stated. This joint investigation began shortly after the initial disclosure and concluded by October 8-9, 2025.
SonicWall mentioned that they had hardened its security for its cloud infrastructure and is working closely with Mandiant to improve monitoring and prevention capabilities. To assist system and network administrators in the recovery process, SonicWall has also released tools to help preference files more easily and offer specific recommendations for fixing issues.
These accessed preference files contain encrypted credentials and detailed configuration data, including network rules, VPN settings, firewall policies, certificates, user accounts, and security service configurations. While SonicWall has confirmed that the data was encrypted both locally and during cloud storage, possession of these files still poses a significant risk of targeted cyberattacks that could potentially exploit affected firewalls.
SonicWall has published an updated and comprehensive list of impacted devices, which customers can review within their MySonicWall Portal. The list categorizes devices by priority based on their exposure to the internet. Customers are strongly urged to:
Immediately review their devices,
Reset all related credentials (including passwords, keys, TOTP bindings, and VPN pre-shared keys),
Follow the provided containment and remediation guidance to secure their networks.
