SonicWall Cloud Backup Files Compromised in Targeted Brute-Force Attack

Published Date: September 19, 2025
Category: ShadowOpsIntel
Share:

SonicWall disclosed a targeted security incident involving its MySonicWall cloud backup service for firewalls, confirmed as of September 17, 2025. The incident impacted a small subset (<5%) of its global firewall install base. Although no malware or ransomware was involved, the exposure of configuration data and encrypted credentials presents potential exploitation risks if not properly remediated.

Severity: High

Incident Summary

  • Date Identified: Mid-September 2025
  • Date Published: Initial disclosure on September 17, 2025, with subsequent updates through September 18
  • Affected Platform: MySonicWall Cloud Backup system
  • Attack Type: Brute-force attacks targeting access to encrypted firewall preference files
  • Impact Scope: Fewer than 5% of SonicWall firewalls with backup files in the cloud

Nature Of The Breach

  • Threat actors executed a series of brute-force attempts targeting the cloud backup infrastructure used for storing firewall configuration files.
  • The files accessed included:
    • Encrypted credentials
    • Configuration and preference settings
  • While the credentials themselves were encrypted, the structure of the configuration files could assist attackers in identifying network architecture and service behaviors, increasing the risk of targeted exploitation.

Sonicwall’s Investigation Findings

  • No evidence that the accessed files have been leaked or publicly exposed as of the latest update.
  • This was not a ransomware or data exfiltration event, but rather a pre-exploitation recon activity.
  • Impact was confirmed through account-level analysis of registered firewall serial numbers and backup file status.

Affected Products

  • SonicWall Firewalls with active or historical cloud backups via MySonicWall.com
  • Devices identified by flagged serial numbers in user accounts
  • Unflagged devices or those without backup entries are not impacted

Recommendations

Follow SonicWall’s Remediation Playbook and Essential Credential Reset guide for containment and mitigation across affected assets.

Source:

  • https://www.sonicwall.com/support/knowledge-base/mysonicwall-cloud-backup-file-incident/250915160910330
  • https://www.sonicwall.com/support/knowledge-base/remediation-through-updated-preferences-file/250916134841513

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

 Talk to an expert