SonicWall has confirmed a security incident involving its MySonicWall cloud backup service, after detecting a series of brute-force attacks that successfully accessed configuration files for a subset of customer firewalls.
According to the disclosure, the incident impacts fewer than 5% of SonicWall firewall customers.
The affected files, referred to as firewall preference files, were stored as part of SonicWall’s cloud backup feature available through MySonicWall.com. While sensitive credentials within these files were encrypted, access to this data may allow sophisticated attackers to reverse-engineer security configurations, especially in environments where backup files have not been refreshed or reviewed.
SonicWall emphasized that this was not a ransomware event, nor does it involve widespread compromise across the platform. Rather, it was characterized as a targeted campaign involving brute-force techniques to gain unauthorized access to cloud-stored backup files.
The incident is currently limited to firewalls that had active cloud backups stored in MySonicWall.com. Customers without backups, or whose accounts do not list associated serial numbers, are not considered at risk.
Remediation and Guidance
Customers using the cloud backup feature are urged to immediately verify whether their firewall devices are affected:
Users should log into their MySonicWall.com accounts to determine if cloud backups exist for registered firewalls.
Devices that have associated backup files and appear in the Issue List under Product Management should be considered at risk.
Affected customers are advised to perform a comprehensive credential reset across all services enabled at or before the time of backup.
Sonicwall has also published a technical Essential Credential Reset remediation playbook to guide users through mitigation steps. Additionally, SonicWall support is available through the standard case creation process in the MySonicWall portal.
Further guidance is expected for customers whose backup files may have been accessed, but whose serial numbers do not yet appear flagged. SonicWall has committed to ongoing updates through its official incident page.
While the overall scale of the breach is limited, the incident underscores the potential risks associated with cloud-stored configuration data, even when encrypted, especially for security infrastructure products like firewalls, as well as the growing trend of attackers seeking to exploit auxiliary services, such as backup systems, to indirectly compromise primary assets.
SonicWall’s response has included continuous updates and revisions made since the initial publication. The company has not identified any further compromise or evidence of widespread misuse of the exposed configuration data.
Visit Sonicwall’s knowledgebase article here for more vulnerability and patching information.
Leave a Reply