In September 2025, SonicWall reported a data breach of its cloud backup service, stating that fewer than 5% of its customers were affected. At the time, the issue appeared contained and under investigation. That changed today after SonicWall and incident response firm Mandiant confirmed that the attackers had accessed backup configuration files for every customer using the service.
The breach began with a brute force attack targeting the MySonicWall cloud backup API, which stores encrypted firewall configuration files. These files include detailed network rules, credentials and routing data used to restore or replicate SonicWall firewalls. While the passwords and keys remain encrypted, the attackers now hold complete configuration data that could be valuable for mapping or exploiting customer networks.
“The investigation confirmed that an unauthorised party accessed firewall configuration backup files for all customers who have used SonicWall’s cloud backup service. The files contain encrypted credentials and configuration data; while encryption remains in place, possession of these files could increase the risk of targeted attacks.”
SonicWall
SonicWall’s final investigation report says updated lists of affected devices are now available in the MySonicWall portal. Customers can see whether their firewalls are labelled “Active – High Priority,” “Active – Lower Priority,” or “Inactive,” depending on exposure level.
The company has also added new monitoring tools, strengthened its cloud infrastructure, and published detailed remediation guidance. Customers are advised to focus first on high-priority devices with internet-facing services, using the support tool provided to identify which configurations need immediate review.
SonicWall says it continues to work with Mandiant to reinforce its systems and assist affected customers. The company’s updated communication emphasises transparency and prevention after what has become one of its most extensive security incidents to date.
Ryan Dewhurst, Head of Proactive Threat Intelligence at watchTowr, said the breach is serious because of the type of data exposed. “Attackers gained access to a treasure trove of sensitive information, including firewall rules and encrypted credentials,” he said. “Even though passwords are encrypted, if they were weak, they can be cracked offline. And even without that, the configuration data gives attackers enough insight to plan more targeted attacks.”
He also questioned why a service hosting such sensitive data lacked basic protective measures. “A brute force attack on an API should have been blocked by rate limiting and stronger access controls,” Dewhurst noted.
