Pierluigi Paganini
September 18, 2025
SonicWall urged customers to reset credentials after firewall backup files tied to MySonicWall accounts were exposed. The company announced it had blocked attackers’ access and is working with cybersecurity experts and law enforcement agencies to determine the scope of the breach.
SonicWall says under 5% of customers were impacted, no files leaked, but the breach still poses risks that need urgent action.
“SonicWall’s security teams recently detected suspicious activity targeting the cloud backup service for firewalls, which we confirmed as a security incident in the past few days. Our investigation found that threat actors accessed backup firewall preference files stored in the cloud for fewer than 5% of our firewall install base. While credentials within the files were encrypted, the files also included information that could make it easier for attackers to potentially exploit the related firewall.” reads the statement published by the company.
“We are not presently aware of these files being leaked online by threat actors. This was not a ransomware or similar event for SonicWall, rather this was a series of brute force attacks aimed at gaining access to the preference files stored in backup for potential further use by threat actors.”
The incident impacted SonicWall Firewalls with preference files backed up in MySonicWall.com
SonicWall urges customers to log into their MySonicWall accounts and check if cloud backups are enabled. If not, there’s no risk. If yes, look for any flagged serial numbers, these indicate affected firewalls that need immediate remediation. If you’ve used backups but see no flagged devices, SonicWall will share further guidance soon.
The company told affected customers to import new preference files. However, importing the new file disrupts IPSec VPNs, TOTP bindings, and user access. After import, users must reconfigure VPN pre-shared keys and reset TOTP along with user passwords. To reduce downtime, SonicWall recommends importing during maintenance windows, off-hours, or low-activity periods since the process reboots the firewall immediately.
“The modified preferences file provided by SonicWall was created from the latest preferences file found in cloud storage,” the company says. “These configuration changes have been made to update these possibly exposed parameters and provide a configuration you may find useful for remediation”
SonicWall says customers cannot import new preference files must follow its guidance to manually reset credentials in SonicOS.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, security breach)
