SonicWall has disclosed that an unauthorized party accessed the encrypted firewall configuration backup files for every customer using its cloud backup service.
In collaboration with leading incident response firm Mandiant, SonicWall completed a thorough investigation and determined that threat actors retrieved files containing sensitive configuration data and encrypted credentials.
Although full-file encryption remains intact, possession of these backups could facilitate highly targeted attacks against affected organizations.
Investigation Findings and Scope
SonicWall engaged Mandiant immediately after detecting irregularities in its cloud backup environment.
The forensic analysis confirmed that attackers exploited a vulnerability in the MSW Cloud Backup API to exfiltrate .EXP backup files for all firewalls registered in MySonicWall.com.
These files store a complete snapshot of device configurations, including administrator credentials and security key material encrypted with AES-256 on Gen 7 and newer appliances.
While configuration parameters are base64-encoded rather than encrypted, secret values remain individually encrypted.
However, access to both elements greatly reduces the complexity of mounting replay or credential-extraction attacks.
The final list of impacted devices is now published in the MySonicWall portal under Product Management > Issue List.
Each entry flags the device’s status—“Active – High Priority” for internet-facing units, “Active – Lower Priority” for internal-only firewalls, and “Inactive” for appliances that have not checked in for 90 days.
SonicWall has begun direct notifications to partners and end users, urging immediate review of the portal’s detailed tables.
Containment Tools and Customer Actions
To assist organizations in assessing exposure and remediating compromised firewalls, SonicWall released two critical tools: the Firewall Config Analysis Tool for identifying services with exposed credentials and the Essential Credential Reset script, which automates password resets for impacted accounts.
The company recommends focusing first on “Active – High Priority” devices, as these systems likely host internet-accessible services.
Upon identifying backups in MySonicWall.com, administrators should cross-reference serial numbers against the Issue List and download the remediation playbook that outlines step-by-step resets and service verifications.
Technical containment guidelines emphasize reviewing every enabled service listed in the backup for potential unauthorized access, resetting credentials for VPN tunnels, administrative accounts, SNMP community strings, and API keys.
The remediation playbook provides example API calls for credential reset execution. For instance, a curl command to reset the firewall’s admin password via the SonicWall REST API might appear as:
bashcurl -X POST \
-H "Content-Type: application/json" \
-d '{"newPassword":"S!0n1cN3wP@ss"}' \
https://<firewall-ip>/api/sonicos/admin/password
This snippet demonstrates how automated scripts can streamline mass credential rotation across distributed appliances.
In response to the breach, SonicWall has implemented enhanced monitoring controls and additional encryption layers for the cloud backup workflow.
All data in transit now uses stricter TLS configurations, and files undergo dual encryption first by the MSW Cloud Backup API, then by device-level secret encryption.
The firm continues collaborating with Mandiant to validate the hardened infrastructure through red-team exercises and advanced threat simulations.
Customers are urged to monitor MySonicWall.com for updated device status and guidance.
Those with cloud backups but no serial numbers listed will receive further instructions in the coming days.
By proactively verifying backup presence, prioritizing high-risk units, and executing credential resets, organizations can mitigate potential exploitation and reinforce their network defenses.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
%20(1).webp?resize=1600,900&ssl=1&description=SonicWall has disclosed that an unauthorized party accessed the encrypted firewall configuration backup files for every customer using its cloud backup service.){kind=link}