Monorepo

SonicWall Breach: Attackers Compromise Cloud Backup Service and Expose Firewall Data

SonicWall Breach: Attackers Compromise Cloud Backup Service and Expose Firewall Data
source: gettyimages
September 23, 2025

SonicWall has advised some of its customers to reset their passwords following a security breach involving its cloud backup service, which resulted in unauthorized access to firewall configuration data.

Details of the Incident

The network security firm confirmed the incident through an updated knowledge base article and a statement to The Register. The breach was initially detected after suspicious activity was observed targeting SonicWall’s cloud backup service for firewalls. SonicWall described this event as a security incident that occurred in recent days.

Scope and Impact

Michael Crean, Senior Vice President of Managed Security Services at SonicWall, indicated that fewer than 5% of the installed firewall base were affected, with some preference files accessed. Although these files contained encrypted credentials, they also included information that could potentially enable attackers to exploit firewall vulnerabilities. SonicWall emphasized that the incident was not ransomware-related but resulted from brute-force attacks aimed at gaining access to backup preference files.

Response and Mitigation Measures

Upon confirming the breach, SonicWall took immediate steps to mitigate further damage by disabling the cloud backup feature, rotating internal security keys, and implementing infrastructure and process improvements. The company also enlisted a leading third-party incident response and consulting firm to verify its findings and review compromised environments.

Customer Instructions

Affected customers are advised to:

Support teams are available to guide impacted clients through these procedures.

Ongoing Investigation and Updates

SonicWall stated that its investigation remains ongoing and has committed to full transparency, providing updates to the knowledge base before any public announcements. As of now, there is no evidence suggesting that stolen files have been leaked or weaponized.

Wider Context and Risks

This breach underscores the increasing targeting of firewall vendors and security infrastructure. Earlier this summer, researchers highlighted the abuse of SonicWall devices by the Akira ransomware group, exploiting vulnerabilities for lateral movement and extortion. Additionally, a recent incident revealed that some customers stored recovery codes in plaintext, leaving a backdoor open even after password changes.

Urgent Call to Action

With firewalls becoming a prime target for cybercriminals, SonicWall urges administrators to review their environments promptly and follow the recommended guidelines to secure their systems.

---

Related links

By submitting, I confirm I have the right to share this link and I agree to link back to this article from the submitted page. Duplicate URLs are rejected. Up to 5 links per page.

GraphQL · 139 ms 
query Q($id: Int!, $domain: Int!, $srcId: Int!, $hasSrc: Boolean!, $hasSelf: Boolean!) {
  self: qa_ai(where: {id: {_eq: $id}}, limit: 1) @include(if: $hasSelf) { id title text date }
  linksarticle: qa_ai(where: {domain: {_eq: $domain}, id: {_neq: $id}}, order_by: {id: desc}, limit: 8) { id title }
  linksbottom: qa_ai(where: {domain: {_neq: $domain}, id: {_lt: $id}}, order_by: {id: desc}, limit: 3) { id title domain }
  source: qa_ai(where: {id: {_eq: $srcId}}, limit: 1) @include(if: $hasSrc) { id title }
}
{
  "id": 6644317,
  "domain": 7,
  "srcId": 0,
  "hasSrc": false,
  "hasSelf": true
}