MySonicWall Cloud Backup Data Breach

Executive Summary

On October 8^th, SonicWall confirmed that threat actors gained access to firewall configuration backup files for all customers who used the MySonicWall cloud backup service. This represents a significant increase in the number of affected organizations compared to SonicWall’s initial estimate in mid-September, which indicated that less than 5% of backup customers were impacted by this situation.

After concluding a joint investigation with Mandiant, SonicWall determined that the MySonicWall cloud backup environment was compromised, which allowed attackers unauthorized access to configuration backups from every customer utilizing the service.

Suspicious activity targeting the MySonicWall backup service was first detected in early September 2025, and access to firewall configuration backup files was purportedly obtained through brute force attacks on the service.

SonicWall has published a list of impacted devices and remediation tooling in their customer portal for impacted clients. The exposed configuration files contain encrypted credentials and broader less protected configuration data that is easily readable by attackers. This information could allow attackers to map network topology and identify exposed services on the appliances, increasing the likelihood an impacted organization will be targeted.

This incident affects all SonicWall firewall products that use the MySonicWall cloud backup feature. Beazley Security advises all SonicWall clients to verify whether their devices were backed up to MySonicWall and, if so, to follow the remediation steps in this advisory to ensure full credential rotation is performed.

Mitigations / Workarounds

Beazley Security strongly recommends that affected organizations perform an immediate credential reset across all devices listed in the MySonicWall Issue List portal. This includes rotating administrator passwords, VPN pre-shared keys, API tokens, directory service credentials, and SNMP community strings.

If remediation actions can be immediately performed:
Restrict any exposed services and VPN access to trusted networks only, until credentials can be rotated.
Disable automatic cloud backups until the remediation steps in the “Remediation Actions Required” section of this advisory can be performed.

These steps will help limit potential exploitation related to exposed configurations and reduce risk of targeted attacks until remediation can be completed.

Remediation Actions Required

Beazley Security strongly advises affected MySonicWall clients to change all passwords for services configured on SonicWall firewalls backed up to the service.

Within the MySonicWall portal, SonicWall published a list of affected devices to help identify which appliances should have passwords reset. To check for impacted devices, a prioritized list can be discovered by following the below steps:

Log into MySonicWall -> Product Management -> Issue List to retrieve a device list.
Review the list containing priority tags “Active – High Priority”, “Active – Lower Priority” or “Inactive” for guidance on risk associated with each appliance.
Disable automatic cloud backups.
DO NOT restore from existing cloud backups from MySonicWall. Delete cloud-hosted backups as directed; recreate fresh local backups AFTER rotations are completed.
Review MySonicWall and firewall logs for suspicious activity, including authentication attempts or unexpected configuration changes, especially since early September.
Perform SonicWall’s “Essential Credential Reset” workflow across impacted firewalls. Services and credentials that should be reviewed for rotation are indicated below.

Credentials Required to be Rotated

Rotate credentials for any of the services being used on impacted devices:

Service	Remediation Step Description
Local Users Credentials	Reset and update passwords of all local users. Force all users to set a new strong password.
User TOTP Codes	Reset TOTP for all users and re-enroll authenticator apps.
LDAP / RADIUS / TACACS+ Secrets	Update bind passwords and shared secrets for LDAP, RADIUS, and TACACS+ authentication. Update passwords on the corresponding authentication servers and SonicOS.
IPSec VPN Secrets	Update shared secrets in all IPSec site-to-site and GroupVPN policies. Replace old pre-shared keys and coordinate with remote administrators.
L2TP / PPPoE / PPTP Secrets	Update passwords used for any L2TP, PPPoE, or PPTP WAN interfaces in coordination with ISP account changes.
Cloud Secure Edge (CSE) API Keys	Reset Cloud Secure Edge connector authentication and update API key.
AWS API Keys	Update AWS IAM access keys used for logging and VPN integration in the AWS Console and SonicWall settings.
SNMPv3 Passwords	Update SNMPv3 user passwords and credentials on monitoring hosts.
WWAN Passwords	Update passwords used for cellular WWAN connections and coordinate with ISP updates.
Dynamic DNS (DDNS) Provider Passwords	Reset DDNS provider account password and update SonicOS DDNS entries.
ClearPass Passwords	Reset passwords to ClearPass Network Access Control servers. Coordinate with NAC administrators.
Email Server Passwords	Reset passwords for email accounts used in log forwarding or OTP delivery.
FTP / HTTPS Servers Credentials	Reset credentials used for log automation, packet monitor, scheduled reports, and Dynamic Botnet List Server.
Switch Management Passwords	Reset management passwords for Dell/SonicWall integrated switches.
Wireless (Internal / Access Points / Virtual) Shared Secrets	Update shared keys for wireless interfaces and profiles. Rotate WPA/WPA2/WPA3 passphrases.
SonicPoint / SonicWave (Mgmt) Management Password	Reset L3 SSLVPN management password and coordinate with SSLVPN server updates.
SonicPoint / SonicWave (Admin) Passwords	Reset administrator passwords for SonicPoint/SonicWave devices.
SonicPoint / SonicWave (RADIUS) Secrets	Reset RADIUS shared secrets for wireless authentication and MAC Access Control.
RADIUS (Local) Secrets	Reset RADIUS shared secrets and LDAP bind credentials for local RADIUS servers.
Guest Services Secrets	Reset shared secret used by External Guest Authentication if message authentication is enabled.
SSO / TSA / RADIUS Accounting / 3rd Party API Keys	Reset shared secrets across all SSO, TSA, and related integrations.
Accounting (RADIUS / TACACS+) Secrets	Reset shared secrets used for RADIUS and TACACS+ accounting servers.
SMTP / POP AppFlow Passwords	Reset password for SMTP or POP accounts used for AppFlow SFR reporting.
NTP Server Passwords	Reset passwords for any custom NTP servers.
Signature Proxy Passwords	Reset password for proxy server used to download signatures.

SonicWall has stated they have a dedicated support service team to help with any changes regarding this matter. Assistance can be initiated by accessing the MySonicWall portal with an active account and opening a case with their support team.

Indicators of Compromise

At the time of this writing, SonicWall has not provided attribution to a given threat actor or released specific IoCs associated with the incident. However, the following behaviors may indicate attempted exploitation or activity related to the MySonicWall breach:

Unusual authentication attempts or repeated login failures against SonicWall interfaces (HTTPS, SSH, or PN portals)
Unexpected configuration changes, such as modified access rules, newly added users, or altered VPN settings
Unexpected MySonicWall account activity, such as device deletions or configuration backup not known by administrators
Social engineering attempts that target helpdesk staff or IT, which could leverage details present in configuration files to purport authenticity of a request.

Impacted organizations should collect and review logs beginning from at least September as that time frame aligns with SonicWall’s investigation timeline.

Technical Details

According to SonicWall’s incident report, threat actors reportedly exfiltrated backup data from MySonicWall cloud services for all clients using the service to store configuration backups of their SonicWall appliances. The data is considered to contain complete snapshots of firewall configurations, including secrets saved within those configuration files.

The incident stems from unauthorized access to MySonicWall’s cloud backup repository, which stored firewall configuration files (“.EXP” files containing full snapshots) that were uploaded by customers who enabled the cloud backup feature on SonicWall appliances. These backups contain complete device configurations, including network objects, policies, access rules, VPN definitions, secrets, and service settings.

While SonicWall states that credentials within the configurations were encrypted, the broader configuration data is encoded in a manner that makes it easily decodable and readable by an attacker. Sensitive credentials within the configurations, such as passwords, VPN pre-shared keys, and auth tokens are stated to be protected with AES-256 encryption on Gen7 and newer devices.However, the configurations also give attackers key details about a target’s security posture. This means anyone with access to the files could map out network topology and expose internet-facing services and management interfaces, increasing the risk of successfully executing targeted attacks on affected organizations.

Beazley Security expects that attackers who obtain the exfiltrated configurations will work to decrypt secrets and target impacted clients by utilizing recon from the device configurations. Organizations impacted should treat these configuration files as potentially exposed and reset all associated credentials and secrets accordingly.

How Beazley Security is Responding

Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.

We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.

Sources

Download PDF

Aware of an incident impacting your industry? Let us know:

Report an incident

Prepare

Implement

Defend

Respond

Manage Risk

Beazley Insured

Featured Industries

Enabling readiness and resilience from pre-breach to remediation.

Bringing extensive experience to every engagement.

Nice to meet you. Find out more about our company here.

The latest insights and advisories from our team