SonicWall has urged all customers to immediately reset administrative and user passwords across their firewall environments after threat actors obtained sensitive configuration backups from the MySonicWall cloud service.
The leaked backups, which contained encrypted credentials, VPN pre-shared keys, and management access secrets, expose networks to potential unauthorized access and persistent compromise.
SonicWall’s advisory emphasizes a three-phase response: containment, remediation, and monitoring to mitigate risk and restore trust in critical perimeter protections.
The Incident and Exposure
Between September 10 and 15, an unknown actor exploited a zero-day vulnerability in the MySonicWall portal’s file-upload subsystem, granting access to archived XML configuration files for subscribing customers.
While the exported files were encrypted at rest, SonicWall confirmed that weak encryption parameters for password fields and pre-shared keys could be brute-forced by skilled adversaries within hours.
Extracted data included local user hashes, TOTP seed values, VPN group-key materials, and SNMP community strings, effectively providing a roadmap to bypass perimeter hardening.
SonicWall’s investigation noted that simultaneous exploitation of management-interface vulnerabilities on older SonicOS versions (6.5.x and 7.3.0) could allow adversaries to elevate privileges and disable logging facilities, making detection of follow-on activity more challenging.
Remediation and Next Steps
Customers are instructed to disable WAN-facing management interfaces (HTTPS, SSH, SNMP, SSLVPN, and IPsec VPN) immediately, allowing only trusted IP ranges if complete disablement is not feasible.
Following containment, administrators must reset all local user accounts and force TOTP re-binding. LDAP, RADIUS, and TACACS+ bind credentials should be rotated both on authentication servers and within SonicOS settings.
All VPN pre-shared keys, site-to-site, GroupVPN, and MySonicWall-provisioned tunnels require regeneration and coordinated updates on remote endpoints.
Passwords for PPPoE, L2TP, PPTP, WWAN cellular interfaces, and dynamic DNS accounts likewise demand resets with upstream providers.
Additionally, AWS IAM keys used for SFR logging and VPN integrations, SNMPv3 engine IDs and user secrets, and proxy server credentials for signature updates must be refreshed.
SonicPoint and SonicWave Wi-Fi deployments also need rotation of WPA3/WPA2/EAP profile keys, and network-side RADIUS secrets for guest, wireless, and SSO services must be updated to prevent man-in-the-middle or lateral-movement scenarios.
Monitoring and Detection
After remediation, continuous auditing of the system and auditing logs is critical. Administrators should export recent logs and employ advanced filtering for anomalous authentication failures, unexpected configuration pushes, or external IPs accessing privileged services.
SonicWall recommends integrating log exports into SIEM solutions for correlation with intrusion detection alerts. Customers using Global Management System (GMS) must update IPSec management-tunnel encryption keys and verify GMS-authenticated backups are adequately secured.
Finally, SonicWall promises additional firmware releases addressing the MySonicWall portal flaw and will provide updated Admin Guide procedures for hardened backup workflows.
All customers are advised to subscribe to SonicWall’s security advisory feed to receive alerts on patch availability and further guidance.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
