In September 2025, SonicWall reported an information breach of its cloud backup service, stating that fewer than 5% of its prospects have been affected. On the time, the problem appeared contained and below investigation. That modified at the moment after SonicWall and incident response agency Mandiant confirmed that the attackers had accessed backup configuration recordsdata for each buyer utilizing the service.
The breach started with a brute power assault focusing on the MySonicWall cloud backup API, which shops encrypted firewall configuration recordsdata. These recordsdata embrace detailed community guidelines, credentials and routing knowledge used to revive or replicate SonicWall firewalls. Whereas the passwords and keys stay encrypted, the attackers now maintain full configuration knowledge that may very well be worthwhile for mapping or exploiting buyer networks.
“The investigation confirmed that an unauthorised celebration accessed firewall configuration backup recordsdata for all prospects who’ve used SonicWall’s cloud backup service. The recordsdata comprise encrypted credentials and configuration knowledge; whereas encryption stays in place, possession of those recordsdata might enhance the danger of focused assaults.”
SonicWall
SonicWall’s ultimate investigation report says up to date lists of affected gadgets at the moment are accessible within the MySonicWall portal. Prospects can see whether or not their firewalls are labelled “Energetic – Excessive Precedence,” “Energetic – Decrease Precedence,” or “Inactive,” relying on publicity stage.
The corporate has additionally added new monitoring instruments, strengthened its cloud infrastructure, and printed detailed remediation steerage. Prospects are suggested to focus first on high-priority gadgets with internet-facing companies, utilizing the help instrument offered to determine which configurations want quick overview.
SonicWall says it continues to work with Mandiant to strengthen its methods and help affected prospects. The corporate’s up to date communication emphasises transparency and prevention after what has change into one in every of its most in depth safety incidents thus far.
Ryan Dewhurst, Head of Proactive Menace Intelligence at watchTowr, mentioned the breach is severe due to the kind of knowledge uncovered. “Attackers gained entry to a treasure trove of delicate data, together with firewall guidelines and encrypted credentials,” he mentioned. “Regardless that passwords are encrypted, in the event that they have been weak, they are often cracked offline. And even with out that, the configuration knowledge offers attackers sufficient perception to plan extra focused assaults.”
He additionally questioned why a service internet hosting such delicate knowledge lacked fundamental protecting measures. “A brute power assault on an API ought to have been blocked by charge limiting and stronger entry controls,” Dewhurst famous.
