cyberscoop.com
By
Matt Kapko
September 17, 2025
SonicWall said it confirmed an attack on its MySonicWall.com platform that exposed customers’ firewall configuration files.
The company confirmed to CyberScoop that an unidentified cybercriminal accessed SonicWall’s customer portal through a series of brute-force attacks.
SonicWall said it confirmed an attack on its MySonicWall.com platform that exposed customers’ firewall configuration files — the latest in a steady stream of security weaknesses impacting the besieged vendor and its customers.
The company’s security teams began investigating suspicious activity and validated the attack “in the past few days,” Bret Fitzgerald, senior director of global communications at SonicWall, told CyberScoop. “Our investigation determined that less than 5% of our firewall install base had backup firewall preference files stored in the cloud for these devices accessed by threat actors.”
While SonicWall customers have been repeatedly bombarded by actively exploited vulnerabilities in SonicWall devices, this attack marks a new pressure point — an attack on a customer-facing system the company controls.
This distinction is significant because it indicates systemic security shortcomings exist throughout SonicWall’s product lines, internal infrastructure and practices.
“Incidents like this underscore the importance of security vendors — not just SonicWall — to hold themselves to the same or higher standards that they expect of their customers,” Mauricio Sanchez, senior director of enterprise security and networking research at Dell’Oro Group, told CyberScoop.
“When the compromise occurs in a vendor-operated system rather than a customer-deployed product, the consequences can be particularly damaging because trust in the vendor’s broader ecosystem is at stake,” he added.
SonicWall acknowledged the potential downstream risk for customers is severe. “While the files contained encrypted passwords, they also included information that could make it easier for attackers to potentially exploit firewalls,” Fitzgerald said.
“This was not a ransomware or similar event for SonicWall, rather this was a series of account-by-account brute force attacks aimed at gaining access to the preference files stored in backup for potential further use by threat actors,” he added.
SonicWall did not identify or name those responsible for the attack, adding that it hasn’t seen evidence of any online leaks of the stolen files. The company said it disabled access to the backup feature, took steps across infrastructure and processes to bolster the security of its systems and initiated an investigation with assistance from an incident response and consulting firm.
Sanchez described the breach as a serious issue. “These files often contain detailed network architecture, rules, and policies that could provide attackers with a roadmap to exploit weaknesses more efficiently,” he said. “While resetting credentials is a necessary first step, it does not address the potential long-term risks tied to the information already in adversaries’ hands.”
SonicWall said it has notified law enforcement, impacted customers and partners. Customers can check if impacted serial numbers are listed in their MySonicWall account, and those determined to be at risk are advised to reset credentials, contain, remediate and monitor logs for unusual activity.
Many vendors allow customers to store configuration data in cloud-managed portals, a practice that introduces inherent risks, Sanchez said.
“Vendors must continuously weigh the convenience provided against the potential consequences of compromise, and customers should hold them accountable to strong transparency and remediation practices when incidents occur,” he added.
Organizations using SonicWall firewalls have confronted persistent attack sprees for years, as evidenced by the vendor’s 14 appearances on CISA’s known exploited vulnerabilities catalog since late 2021. Nine of those defects are known to be used in ransomware campaigns, according to CISA, including a recent wave of about 40 Akira ransomware attacks.
Fitzgerald said SonicWall is committed to full transparency and the company will share updates as its investigation continues.
https://www.sonicwall.com/support/
Updated
September 22, 2025
Description
SonicWall’s security teams recently detected suspicious activity targeting the cloud backup service for firewalls, which we confirmed as a security incident in the past few days.
Our investigation found that threat actors accessed backup firewall preference files stored in the cloud for fewer than 5% of our firewall install base. While credentials within the files were encrypted, the files also included information that could make it easier for attackers to potentially exploit the related firewall.
We are not presently aware of these files being leaked online by threat actors. This was not a ransomware or similar event for SonicWall, rather this was a series of brute force attacks aimed at gaining access to the preference files stored in backup for potential further use by threat actors.
TIP: Learn more by watching this helpful video guide here
Affected Products:
SonicWall Firewalls with preference files backed up in MySonicWall.comDue to the sensitivity of the configuration files, we highly encourage customers to take the following steps immediately:
Log in to your MySonicWall.com account and verify if cloud backups exist for your registered firewalls:
If fields are blank (Figure 1): You are NOT at risk.
A screenshot of a computer AI-generated content may be incorrect.
Figure 1 – Does Not Contain Backup
If fields contain backup details (Figure 2): Please continue reading.
Image
Figure 2 – Contains Backups
Verify whether impacted serial numbers are listed in your account. Upon login, navigate to Product Management | Issue List, the affected serial numbers will be flagged with information such as Friendly Name, Last Download Date and Known Impacted Services.
Image
If Serial Numbers are shown: the listed firewalls are at risk and should follow the containment and remediation guidelines: Essential Credential Reset
NOTE: Impacted Services should be used for general guidance only. The services listed were identified as being enabled and should be immediately reviewed. ALL SERVICES WITH CREDENTIALS THAT WERE ENABLED AT, OR BEFORE, THE TIME OF BACKUP SHOULD BE REVIEWED FOR EACH SERIAL NUMBER LISTED.
If you have used the Cloud Backup feature but no Serial Numbers are shown or only some of your registered Serial Numbers:
SonicWall will provide additional guidance in coming days to determine if your backup files were impacted.
Please check back on this page for this additional information: MySonicWall Cloud Backup File IncidentTechnical Containment and Mitigation Documentation can be found at:
Essential Credential Reset
Remediation PlaybookNOTE: Use the SonicWall Online Tool to identify services that require remediation. Follow the on-screen instructions to proceed. (UPE Mode is not supported.)
We have a dedicated support service team available to help you with any of these changes. If you need any assistance, please login to your MySonicWall account and open a case with our Support team. You can access your account at: https://www.mysonicwall.com/muir/login.
Change Log:
2025-9-17 4:40 AM PDT: Initial publish.
2025-9-17 2:45 PM PDT: Minor formatting update.
2025-9-17 8:45 PM PDT: Revised incident disclosure text to clarify scope (<5% of firewalls), encrypted credentials, no known leaks, and brute-force (not ransomware) attack.
2025-9-18 5:38 AM PDT: Changed formatting and provided detailed steps with screenshots.
2025-9-18 9:19 AM PDT: Updated guidance steps, navigation screenshots, and note clarifying review of impacted services.
2025-9-18 4:30 PM PDT: Updated KB text and image to clarify affected products, provide step-by-step backup verification instructions, and replace figures showing when backups are or are not present.
2025-9-19 1:15 PM PDT: No updates at this time.
2025-9-20 9:15 AM PDT: Added a Tip with a video guide and a Note linking to the SonicWall online tool for firewall configuration analysis and remediation guidance.
2025-9-22 8:20 AM PDT: No updates at this time.