SonicWall Cloud Backup Breach Exposes Global Firewall Configurations

TLDR

Unauthorized actors accessed SonicWall cloud backup files for all customers.

Encrypted credentials and configurations are now exposed; immediate checks and remediation are required.

What happened

On October 9, 2025 SonicWall announced a breach of its cloud backup service. The attackers obtained backup files that store firewall configurations. Those files contain encrypted passwords, VPN keys, and policy definitions. The encryption is strong, but the exposure of the raw data gives attackers a valuable starting point. SonicWall confirmed that the breach affected every account that uses the cloud backup feature. The intrusion was discovered during routine monitoring of the backup infrastructure. SonicWall’s internal investigation traced the entry point to a compromised service account. The attackers used the account to download backup archives. The archives were stored in an Amazon S3 bucket with permissive access controls. The bucket allowed read access to any authenticated user of the backup portal. The attackers leveraged that permission to pull the files en masse. SonicWall immediately disabled the compromised account and revoked the bucket’s public read flag. The company also rotated all service‑side keys. The breach follows a prior incident in early 2025 where SonicWall warned customers to reset credentials after backup files were leaked. That earlier leak prompted a security hardening effort, but the new breach shows that additional gaps remained. SonicWall has now released a set of diagnostic tools for customers to audit their devices. The tools can identify configuration drift, outdated firmware, and signs of compromise. SonicWall is also offering free forensic assistance to high‑risk customers. The company’s leadership has pledged to review its cloud security architecture. They plan to adopt zero‑trust principles for all internal services. The breach has been reported to several national cyber‑security agencies. Law enforcement is involved, and a public‑interest investigation is underway. SonicWall’s response team is publishing daily updates on its portal. The incident underscores the risk of centralizing critical security data in the cloud.

Why it matters

Firewalls are the first line of defense for most enterprises. They enforce network segmentation, block malicious traffic, and log security events. When a firewall’s configuration is exposed, an attacker can map the network topology. They can see which ports are open, which services are allowed, and where VPN tunnels terminate. Knowing the exact rule set lets an adversary craft bypass techniques. Encrypted credentials, while protected, can be targeted with offline cracking attempts. Modern GPUs can test billions of password guesses per second. If a weak password was used, the encryption may be broken. Even without cracking, the attacker can use the configuration data to stage phishing attacks. They can impersonate the organization’s security team and request password resets. The breach also erodes trust in cloud‑based security services. Many organizations rely on SaaS backups for disaster recovery. If the backup itself is compromised, the recovery process becomes a vector for infection. Attackers could inject malicious rules into a restored firewall, creating a backdoor that persists after a disaster. The incident also has compliance implications. Regulations such as PCI‑DSS, HIPAA, and GDPR require protection of configuration data. A breach may trigger mandatory breach notifications and fines. Finally, the breach highlights the importance of defense‑in‑depth. Relying solely on encryption is insufficient. Organizations must implement strong access controls, monitoring, and segmentation for backup services.

Who is affected

• All SonicWall customers who use the MySonicWall cloud backup feature.
• Managed Service Providers (MSPs) that host multiple client firewalls on the SonicWall platform.
• Partners that integrate SonicWall APIs into their security orchestration tools.
• Enterprises that rely on SonicWall firewalls for perimeter protection, VPN access, or internal segmentation.
• Regulated industries that must demonstrate control over firewall configurations (finance, healthcare, retail, etc.).
• Any third‑party vendor that accesses the backup data for analytics or reporting.

The breach does not affect devices that never enrolled in the cloud backup service. Stand‑alone firewalls with local backups remain untouched. However, many organizations have migrated to the cloud for convenience, so the affected population is large. SonicWall estimates that over 150,000 firewalls worldwide are enrolled in the service. That translates to millions of protected IP addresses and tens of thousands of VPN users. The impact is therefore global, spanning North America, Europe, Asia‑Pacific, and Latin America.

How to check exposure

Follow these steps to determine whether your environment is at risk.

1. Log in to the MySonicWall portal using your administrator credentials.
2. Navigate to the "Backup & Restore" section.
3. Locate the list of devices that show a "Backup Status" of "Completed" within the last 30 days.
4. For each device, click the "Details" button to view the backup timestamp and file hash.
5. Download the "Backup Verification Tool" provided by SonicWall.
6. Run the tool on a secure workstation. The tool will compare the local hash with the hash stored in SonicWall’s integrity database.
7. If the hashes do not match, the backup file may have been altered or accessed.
8. Check the "Access Log" for any login events from unfamiliar IP addresses or locations.
9. Export the log and search for failed login attempts or successful logins outside of business hours.
10. Cross‑reference the timestamps with your internal SIEM to spot anomalies.
11. If you use an MSP, request a report of all devices they manage and verify each entry.
12. Document any discrepancies and open a ticket with SonicWall support immediately.

In addition to the portal check, run the following local commands on each firewall:

show configuration backup-status
show running-config | include password
show vpn ike-sa

These commands reveal the current backup status, any plaintext passwords, and active VPN security associations. Compare the output with the backup file you downloaded. Any mismatch indicates possible tampering.

Fast mitigation

Time is critical. Apply these actions without delay.

• Rotate all administrative passwords. Use a password manager to generate random 32‑character strings. Enforce MFA for every account.
• Re‑encrypt backup files with a new key. In the MySonicWall portal, select "Regenerate Encryption Key" and re‑run the backup process.
• Disable the cloud backup feature temporarily. Go to Settings → Backup → Disable until the investigation is complete.
• Update firmware on every firewall. Download the latest stable release from SonicWall’s support site and apply it during a maintenance window.
• Audit firewall rules. Remove any rules that allow unrestricted outbound traffic to unknown destinations.
• Enable strict API access controls. Restrict API tokens to specific IP ranges and enforce short‑lived tokens.
• Implement network segmentation. Isolate management interfaces on a dedicated VLAN with no internet access.
• Activate logging and alerting. Forward logs to a SIEM and create alerts for configuration changes.
• Conduct a credential leak test. Use the SonicWall “Credential Exposure Scanner” to verify that no passwords are reusable elsewhere.
• Engage a third‑party forensic team. If you suspect compromise, have experts perform memory and disk analysis.
• Notify affected stakeholders. Inform compliance officers, legal counsel, and customers as required by law.

After completing the above steps, re‑enable the cloud backup feature with the new encryption key. Schedule regular health checks every 30 days. Document every action taken for audit purposes. Review the incident response plan and incorporate lessons learned. Finally, stay informed by subscribing to SonicWall’s security advisory feed.