SonicWall, together with leading incident response firm Mandiant, has completed a thorough review of a recent cloud backup security incident.
The investigation confirmed that an unknown party gained access to all firewall configuration backup files for customers using the MySonicWall cloud backup feature.
These files contain encoded configuration settings and encrypted credentials. Although the credentials themselves remain protected by AES-256 encryption, the threat actor’s possession of these files could aid in crafting highly targeted attacks against affected networks.
SonicWall has updated final, comprehensive lists of impacted devices within the MySonicWall portal. Customers can find these lists under Product Management > Issue List.
Each device entry now shows an impact priority classification Active- High Priority for internet-facing units, Active-Lower Priority for non-internet-facing units, and Inactive for devices not checking in for over 90 days.
SonicWall is actively notifying all impacted partners and customers and providing tools to help assess and remediate exposed devices.
All SonicWall partners and customers are urged to log into their MySonicWall.com accounts immediately to verify whether any cloud backups exist for their registered firewalls.
If the backup fields are blank, customers can be confident their devices are not at risk. If backup details are present, customers should:
- Check the Issue List for flagged serial numbers, which include device name, last download date, and impacted services.
- Prioritize remediation starting with Active – High Priority devices, then Active – Lower Priority devices.
- Review and reset credentials for all services enabled at or before the backup timeframe.
Customers are directed to SonicWall’s Essential Credential Reset guide for containment and remediation steps.
A detailed Remediation Playbook is also available to walk through recovery procedures. SonicWall’s Online Tool for Firewall Config Analysis can identify specific services requiring credential reset.
Configuration backup files use the .EXP extension and contain a full snapshot of a firewall’s settings. Locally exported EXP files are only encoded, with credentials encrypted on modern SonicWall models.
Cloud backup files receive an additional layer of full-file encryption and compression before storage. When a user downloads a cloud backup from MySonicWall, the system decrypts the file and sends it over HTTPS in its encoded state, preserving credential encryption.
To strengthen defenses, SonicWall has implemented additional security hardening measures across its cloud infrastructure and monitoring systems.
The company continues collaborating with Mandiant to enhance detection controls and prevent future unauthorized access.
Customers with questions or requiring assistance should open a support case via the MySonicWall portal.
SonicWall will provide further guidance for customers whose backup fields or serial numbers do not appear in the current Issue List, ensuring every user receives clear instructions on verifying risk and responding to potential exposure.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
