In September 2025, SonicWall reported an information breach of its cloud backup service, stating that fewer than 5% of its clients have been affected. On the time, the difficulty appeared contained and below investigation. That modified at the moment after SonicWall and incident response agency Mandiant confirmed that the attackers had accessed backup configuration recordsdata for each buyer utilizing the service.
The breach started with a brute pressure assault focusing on the MySonicWall cloud backup API, which shops encrypted firewall configuration recordsdata. These recordsdata embrace detailed community guidelines, credentials and routing information used to revive or replicate SonicWall firewalls. Whereas the passwords and keys stay encrypted, the attackers now maintain full configuration information that might be priceless for mapping or exploiting buyer networks.
“The investigation confirmed that an unauthorised social gathering accessed firewall configuration backup recordsdata for all clients who’ve used SonicWall’s cloud backup service. The recordsdata include encrypted credentials and configuration information; whereas encryption stays in place, possession of those recordsdata might improve the chance of focused assaults.”
SonicWall
SonicWall’s closing investigation report says up to date lists of affected gadgets are actually out there within the MySonicWall portal. Prospects can see whether or not their firewalls are labelled “Energetic – Excessive Precedence,” “Energetic – Decrease Precedence,” or “Inactive,” relying on publicity degree.
The corporate has additionally added new monitoring instruments, strengthened its cloud infrastructure, and printed detailed remediation steerage. Prospects are suggested to focus first on high-priority gadgets with internet-facing companies, utilizing the assist device supplied to establish which configurations want rapid assessment.
SonicWall says it continues to work with Mandiant to strengthen its programs and help affected clients. The corporate’s up to date communication emphasises transparency and prevention after what has change into one in every of its most in depth safety incidents to this point.
Ryan Dewhurst, Head of Proactive Risk Intelligence at watchTowr, mentioned the breach is critical due to the kind of information uncovered. “Attackers gained entry to a treasure trove of delicate info, together with firewall guidelines and encrypted credentials,” he mentioned. “Though passwords are encrypted, in the event that they have been weak, they are often cracked offline. And even with out that, the configuration information provides attackers sufficient perception to plan extra focused assaults.”
He additionally questioned why a service internet hosting such delicate information lacked fundamental protecting measures. “A brute pressure assault on an API ought to have been blocked by price limiting and stronger entry controls,” Dewhurst famous.
