Summary

SonicWall has issued security guidance in response to a recent incident involving suspicious activity targeting its cloud backup service for firewalls. An investigation revealed that threat actors accessed backup firewall preference files stored in the cloud. While the credentials in these files were encrypted, they contained potentially sensitive information that could be used to exploit related firewalls. This breach has affected less than 5% of SonicWall's firewall install base.

Affected Systems and/or Applications

The affected systems are SonicWallFirewalls that use the cloud backup feature through MySonicWall.com.

Specifically, any firewalls that had their backup preference files stored in the cloud are potentially impacted.

Technical Details

The investigation discovered that the breach involved threat actors gaining access to encrypted firewall preference files, which are stored in the cloud as part of the SonicWall cloud backup service. Although the files are encrypted, they contained information that could facilitate the exploitation of the corresponding firewall devices.

The sensitive data within these files includes, but may not be limited to:

• Credentials
• Tokens
• Other configuration details for services running on SonicWall devices

Although no unencrypted data was found, the exposure of these files increases the risk of future exploitation, especially if the attackers are able to further decrypt or misuse the information.

Mitigation

SonicWall has provided the following mitigation steps for affected users:

• Login to MySonicWall:
  
  • Navigate to MySonicWall.com and log into your account.
  • Check if any cloud backups exist for your registered firewalls.
• Identify Affected Devices:
  
  • If the backup fields are blank, then your firewall has not been impacted.
  • If backup details are present, proceed to check the Product Management section and then the Issue List.
  • Affected serial numbers will be listed with relevant details such as Friendly Name, Last Download Date, andKnown Impacted Services.
• Review and Remediate:
  
  • If your firewall’s serial number appears on the Issue List, it is at risk, and SonicWall recommends following the containment and remediation guidelines outlined in their security documentation.
  • If only some or no serial numbers are shown, you may still be impacted. SonicWall will provide further guidance to assess whether your backup files were compromised.

Additional Recommendations

• If your firewall is listed as affected, SonicWall recommends immediately changing all credentials and tokens associated with the impacted services.
• Keep an eye on your firewall’s logs and activity to identify any signs of abnormal behavior or exploitation.
• Stay updated with SonicWall’s security bulletins for additional actions, and follow their official guidelines for containment and remediation.

What the Cyber Fusion Center is Doing

The Cyber Fusion Center (CFC) is actively engaged in monitoring the situation surrounding the compromised SonicWall backup firewall preference files. An advisory update will be issued if new indicators, techniques, or escalations are identified that could further impact affected systems or require additional mitigation steps.

References

https://www.sonicwall.com/support/knowledge-base/mysonicwall-cloud-backup-fileincident/250915160910330

https://www.bleepingcomputer.com/news/security/sonicwall-warns-customers-to-reset-credentials-afterMySonicWall-breach/?utm_source=tldrinfosec

https://thehackernews.com/2025/09/sonicwall-urges-password-resets-after.html

‍