SonicWall discloses unauthorized access to MySonicWall cloud backup configuration files

On September 17, 2025, SonicWall disclosed a security incident involving unauthorized access to firewall configuration backup files stored in certain MySonicWall accounts. These files contain sensitive information (passwords, shared secrets, and encryption keys) that could significantly ease exploitation of affected firewalls if accessed by threat actors.

The breach was discovered internally and contained before public disclosure. SonicWall terminated the unauthorized access point and initiated coordination with law enforcement and cybersecurity agencies. The company has not attributed the breach to a specific actor, and no ransomware deployment or exploitation campaign has been publicly linked to this incident as of the disclosure date.

According to SonicWall, the exposed data resides in cloud backups of firewall configuration files. These backups are stored within MySonicWall accounts for customers who enabled the cloud backup feature. The incident does not involve a vulnerability in SonicOS or a flaw in the firewall hardware itself, but rather unauthorized access to stored configuration data.

Customers with SonicWall firewalls that have cloud backup enabled in MySonicWall are potentially affected. Upon login, impacted users will see banners flagging affected serial numbers. Customers without cloud backup enabled are not at risk from this specific incident. SonicWall is continuing to assess whether additional accounts may have been impacted and will provide further guidance.

SonicWall released a Remediation Playbook outlining a response for organizations affected by the MySonicWall cloud backup file exposure. The playbook emphasizes executing changes in phases, verifying authentication flows, and documenting updates to ensure operational continuity.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Analyst insight

SonicWall had already been investigating a series of cyber incidents involving its firewalls in the months leading up to this breach. While the cloud backup exposure is distinct from those attacks, it adds another layer of concern for organizations using SonicWall.

The exposure of configuration files could allow threat actors to reconstruct firewall setups, extract credentials, and use them to gain unauthorized access to network environments.

This increases the risk of lateral movement, privilege escalation, and targeted attacks, especially in environments where credentials are reused or not rotated regularly.

Follow SonicWall remediation guidance by restricting access to firewall management interfaces from untrusted networks and rotate all credentials stored in firewall configurations.

Review MySonicWall accounts for flagged serial numbers and confirm whether cloud backup is enabled. If backups were used, but no serial numbers were flagged, monitor SonicWall’s support page for updated guidance.

Audit multi-factor authentication (MFA) settings and monitor for unauthorized changes. Although MFA credentials were not explicitly mentioned in the breach, threat actors with configuration access may attempt to manipulate authentication flows.